Error 500 when reading dynamic secrets database mongodb

HashiCorp Cloud Platform (HCP) HCP Vault
1

Was trying out the mongodb database secrets tutorial on the official hashicorp website.

"Error reading mongodb/creds/tester: Error making API request.

URL: GET http://127.0.0.1:8200/v1/mongodb/creds/tester
Code: 500. Errors:

  • 1 error occurred:
    * invalid character ‘d’ looking for beginning of object key string "

Here are the commands I ran before I got the error:

  1. docker run -p 0.0.0.0:27017:27017 -p 0.0.0.0:28017:28017 --name mongodb -e MONGO_INITDB_ROOT_USERNAME=“mdbadmin” -e MONGO_INITDB_ROOT_PASSWORD=“hQ97T9JJKZoqnFn2NXE” mongo

  2. vault server -dev -dev-root-token-id=root

  3. $env:VAULT_ADDR=“http://127.0.0.1:8200

  4. vault secrets enable -path=mongodb database

  5. vault write mongodb/config/mongo-test plugin_name=mongodb-database-plugin allowed_roles=“tester” connection_url=“mongodb://{{username}}:{{password}}@localhost:27017/admin?tls=false” username=“mdbadmin” password=“hQ97T9JJKZoqnFn2NXE”

  6. vault write mongodb/roles/tester db_name=mongo-test creation_statements=‘{ “db”: “admin”, “roles”: [{ “role”: “readWrite” }, {“role”: “read”, “db”: “foo”}]}’ default_ttl=“1h” max_ttl=“24h”

  7. Got the error while running this

  • vault read mongodb/creds/tester

Hope to get some help with this! Thanks in advance!

2

Hello @chanzs ,

Are you following the tutorial for HCP Vault or self-hosted? I would have assumed HCP since this is in the HCP Vault category but I see in your example commands it looks like youre starting Vault in dev mode.

I see you posted this a several hours before me, so decided to test the self-hosted workflow and its working for me as written in the tutorial.

vault write mongodb/roles/tester \
    db_name=mongo-test \
    creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
    default_ttl="1h" \
    max_ttl="24h"

Success! Data written to: mongodb/roles/tester

vault list mongodb/roles
Keys
----
tester

vault read mongodb/creds/tester
Key                Value
---                -----
lease_id           mongodb/creds/tester/NoTCW49rLYF7WWm5uXTg7mT0
lease_duration     1h
lease_renewable    true
password           zDFsiHJ8XpVhB2-d3OL-
username           v-token-tester-yVf6iX8Zlpzgk8pVIXOF-1704982996

Based on the error invalid character ‘d’ , I wonder if there was some extra character copied/in your terminal when you copied the command.

What do you get if you read back the role details:

vault read mongodb/roles/tester
Key                      Value
---                      -----
creation_statements      [{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }]
credential_type          password
db_name                  mongo-test
default_ttl              1h
max_ttl                  24h
renew_statements         []
revocation_statements    []
rollback_statements      []

And the Vault DB config:

vault read mongodb/config/mongo-test
Key                                   Value
---                                   -----
allowed_roles                         [tester]
connection_details                    map[connection_url:mongodb://{{username}}:{{password}}@127.0.0.1:27017/admin?tls=false username:mdbadmin]
password_policy                       n/a
plugin_name                           mongodb-database-plugin
plugin_version                        n/a
root_credentials_rotate_statements    []

I also see you are on Windows, I will attempt to test on Windows later today.

3

Hello @jonathanfrappier ! Thank you for the reply.
Yes, I ran the tutorial on self-hosted.

These are what I got from running the commands:

vault list mongodb/roles
Keys
----
tester

vault read mongodb/config/mongo-test
Key                                   Value
---                                   -----
allowed_roles                         [tester]
connection_details                    map[connection_url:mongodb://{{username}}:{{password}}@localhost:27017/admin?tls=false username:mdbadmin]
password_policy                       n/a
plugin_name                           mongodb-database-plugin
plugin_version                        n/a
root_credentials_rotate_statements    []

vault read mongodb/roles/tester

Key                      Value
---                      -----
creation_statements      [{db: admin, roles: [{ role: readWrite }, {role: read, db: foo}]}]
credential_type          password
db_name                  mongo-test
default_ttl              1h
max_ttl                  24h
renew_statements         []
revocation_statements    []
rollback_statements      []

Even though with those above, I still got the error when running read mongodb/creds/tester

Error reading mongodb/creds/tester: Error making API request.

URL: GET http://127.0.0.1:8200/v1/mongodb/creds/tester
Code: 500. Errors:

* 1 error occurred:
        * invalid character 'd' looking for beginning of object key string
4

Thanks for confirming, will try to get to testing this today on a Windows machine.

5

Good news and bad news.

Good news, as written (accounting for updating commands for Windows) its working for me. Bad news, that doesn’t help me help you.

How is Docker configured for you? Is it using Hyper-V or WSL2? I took a pretty vanilla Windows laptop with WSL2 using Ubuntu and just did a choco install docker-desktop, started Docker and its working (caveat this is my test laptop so possible I did things in the past I am forgetting).

The commands I used seem to match yours. I took these, copied them from the developer.hashicorp.com portal into Notepad on Windows, cleaned up the line breaks and added " " where needed.

Start MongoDB container:

docker run -d -p 0.0.0.0:27017:27017 -p 0.0.0.0:28017:28017 --name=mongodb -e MONGO_INITDB_ROOT_USERNAME="mdbadmin" -e MONGO_INITDB_ROOT_PASSWORD="hQ97T9JJKZoqnFn2NXE" mongo

Configure database secrets engine:

vault write mongodb/config/mongo-test plugin_name=mongodb-database-plugin allowed_roles="tester" connection_url="mongodb://{{username}}:{{password}}@localhost:27017/admin?tls=false" username="mdbadmin" password="hQ97T9JJKZoqnFn2NXE"

Create Vault role:

vault write mongodb/roles/tester db_name=mongo-test creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' default_ttl="1h" max_ttl="24h"

Get MongoDB creds from Vault role:

PS C:\Windows\System32> vault read mongodb/creds/tester
Key                Value
---                -----
lease_id           mongodb/creds/tester/u1gwkx9DwDQv1gDJURcT7Tdj
lease_duration     1h
lease_renewable    true
password           8TUDU5xJzCiDXADny-1r
username           v-token-tester-f2oKiexLmkduKbWsxe6x-1705085157
6

One other thing I did, I installed MongoDB Compass GUI (https://www.mongodb.com/try/download/shell) and verified I could log in with the username and password used when starting the Docker container. At that point, I was confident MongoDB started properly and knew it was accepting connections.

7

The error you’re encountering when trying to read MongoDB dynamic secrets from Vault is likely due to a syntax or configuration issue. The error message suggests there’s a problem with the JSON format or the way the MongoDB plugin is configured in Vault.

To troubleshoot, consider the following steps:

  1. Check JSON Syntax: Ensure the JSON syntax in your creation_statements is correct and properly escaped. JSON syntax issues can lead to parsing errors.
  2. Verify Connection URL: Double-check the connection_url format and credentials. Ensure the MongoDB instance is accessible from Vault and that the credentials (username and password) are correct.
  3. Inspect Vault Server Logs: The Vault server logs might provide more context about the error. Look for any additional error messages or warnings that could indicate the source of the issue.
  4. Review MongoDB Plugin Configuration: Ensure the MongoDB plugin is correctly configured and that the plugin_name, allowed_roles, and connection_url parameters are set correctly.
  5. Use Correct Quotes: Ensure you’re using standard quotes (") in your commands rather than typographic quotes ( and ), which can cause issues in command-line environments.
  6. MongoDB Permissions: Verify that the MongoDB user (mdbadmin) has the necessary permissions to grant roles and create users in the database.

If you’ve verified these aspects and the issue persists, providing more details about your Vault and MongoDB setup might help diagnose the problem further.