Docs Menu
Docs Home
/ /

Rotate a Key File with the API

You can programmatically rotate a key file by updating a project's automation configuration.

To rotate a key file using the Ops Manager API:

  1. Retrieve the current configuration.

  2. Add the new key file that you want to use with the auth.newKey setting.

  3. Replace the entire configuration using PUT. You must use PUT. Do not use PATCH.

When all MongoDB Agents use the new key, Ops Manager replaces the value of auth.key with the new key that you provided in auth.newKey and removes auth.newKey from the automation configuration.

  • You must have access to the API. To learn more, see Configure API Access.

  • Your API key must have the Project Automation Admin or Project Owner role.

  • Authentication must be enabled.

  • At least one cluster in the project must be configured with the clusterAuthMode option set to keyFile or sendKeyFile.

  • All clusters in the project must be running MongoDB version 6.0 or higher.

The API resources use one or more of these variables. Replace these variables with your desired values before calling these API resources.

Name
Type
Description

PUBLIC-KEY

string

Your public API Key for your API credentials.

PRIVATE-KEY

string

Your private API Key for your API credentials.

<OpsManagerHost>:<Port>

string

URL of your Ops Manager instance.

GROUP-ID

string

Unique identifier of your project from your project settings.

CLUSTER-ID

string

Unique identifier of your cluster.

1
  1. Use the automationConfig resource to retrieve the configuration. Issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.

    curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
    --request GET "https://<OpsManagerHost>:<Port>/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true" \
    --output currentAutomationConfig.json
  2. Validate the downloaded Automation Configuration file.

    Verify that the content of the currentAutomationConfig.json and mms-cluster-config-backup.json files are up-to-date.

    You can find the mms-cluster-config-backup.json file on any host running the MongoDB Agent at:

    • Linux and macOS: /var/lib/mongodb-mms-automation/mms-cluster-config-backup.json

    • Windows: %SystemDrive%\MMSAutomation\versions\mms-cluster-config-backup.json

2
  1. Open currentAutomationConfig.json in your preferred text editor.

  2. Add the auth.newKey field. Set this field's value to the new key file that you want Ops Manager to use.

    Note

    The sample configuration below is truncated for readability.

    {
    "auth": {
    "disabled": "false",
    "key": "<your-old-key>",
    "newKey": "<your-new-key>"
    }
    }

If you're updating the MongoDB Agent, see Update Agent Versions before continuing with this procedure.

3

Use the automationConfig resource to send the updated automation configuration.

Issue the following command with path to the updated configuration document and replace the placeholders with the Variables for Automation Config API Resources.

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--header "Content-Type: application/json" \
--request PUT "https://<OpsManagerHost>:<Port>/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true" \
--data @currentAutomationConfig.json

Upon successful update of the configuration, the API returns the HTTP 200 OK status code to indicate the request has succeeded.

4

Retrieve the automation configuration from Ops Manager and confirm it contains the changes. To retrieve the configuration, issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--request GET "https://<OpsManagerHost>:<Port>/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true"
5

Use the automationStatus resource to retrieve the deployment status. Issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--request GET "https://<OpsManagerHost>:<Port>/api/public/v1.0/groups/{PROJECT-ID}/automationStatus?pretty=true"

Confirm that the values of all the lastGoalVersionAchieved fields in the processes array match the goalVersion field. To learn about deployment status, see Get Automation Status of Latest Plan.

Back

Update Automation

On this page