Vault Dynamic Secret Management and Atlas User Limits

Andy_Nemzek · July 9, 2022, 4:35am

MongoDB Atlas advertises quite a bit about how it can be integrated with Hashicorp Vault:

These methods detail utilizing vault’s dynamic secrets engine. However, there appears to be a database user limit of 100. When using vault dynamic secrets, this quickly becomes problematic. I have a k8s application that is running about 50 pods. We have vault agent side cars interfacing with vault to checkout out dynamic user creds for mongo atlas. As such, each pod gets its own credential (as it should).

Now, when it comes time to deploy a change, 50 new pods are spun up and the others torn down. That’s another 50 users created + the 50 from before which continue to exist until they expire. We’ve already hit the limit. What if I need to do a rollback or another deploy before the old creds expire? This does not seem workable.

Is there any official approach to get around this? In a busy environment that is at scale I could easily see hundreds if not thousands of users being present.

Thanks!

Andrew_Davidson · July 15, 2022, 11:00pm

Hi Andy, 100 DB users per Atlas project is a soft limit: if you have a need to go higher, please file a support case. We will make the configurable via API call in future.

-Andrew

Andy_Nemzek · July 16, 2022, 4:07am

Hi Andrew,

Thanks for the reply. I’ve since been informed that we possibly have a dozen or so microservices utilizing the same project. At scale, I could see this possibly yielding thousands of dynamic secrets in play. I guess my company previously opened a support ticket to increase user count from 100 to 200. Is thousands feasible? Is there any real limit we’re dealing with or what is the rationale behind the cap in the first place?

Thanks!