»MongoDB Atlas Database Plugin HTTP API

The MongoDB Atlas plugin is one of the supported plugins for the Database Secrets Engine. This plugin generates MongoDB Atlas Database User credentials dynamically based on configured roles.

»Configure Connection

In addition to the parameters defined by the Database Backend, this plugin has a number of parameters to further configure a connection.



  • public_key (string: <required>) – The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
  • private_key (string: <required>) - The Private Programmatic API Key used to connect with MongoDB Atlas API.
  • project_id (string: <required>) - The Project ID the Database User should be created within.

»Sample Payload

  "plugin_name": "mongodbatlas-database-plugin",
  "allowed_roles": "readonly",
  "public_key": "aPublicKey",
  "private_key": "aPrivateKey",
  "project_id": "aProjectID"
{  "plugin_name": "mongodbatlas-database-plugin",  "allowed_roles": "readonly",  "public_key": "aPublicKey",  "private_key": "aPrivateKey",  "project_id": "aProjectID"}

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
$ curl \    --header "X-Vault-Token: ..." \    --request POST \    --data @payload.json \


Statements are configured during Vault role creation and are used by the plugin to determine what is sent to MongoDB Atlas upon user creation, renewal, and revocation. For more information on configuring roles see the Role API in the Database Secrets Engine docs.


The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type.

  • creation_statements (string: <required>) – Specifies the database statements executed to create and configure a user. Must be a serialized JSON object, or a base64-encoded serialized JSON object. The object can optionally contain a database_name, the name of the authentication database to log into MongoDB. In Atlas deployments of MongoDB, the authentication database is always the admin database. The object must also contain a roles array, and from Vault version 1.6.0 (plugin version 0.2.0) may optionally contain a scopes array. The roles array contains objects that hold a series of roles roleName, an optional databaseName and collectionName value. The scopes array determines which clusters and data lakes the user has access to, and defaults to all scopes if omitted. For more information regarding the roles and scopes fields, refer to MongoDB Atlas documentation.
  • default_ttl (string/int): 0 - Specifies the TTL for the leases associated with this role. Accepts time suffixed strings (1h) or an integer number of seconds. Defaults to system/engine default TTL time.
  • max_ttl (string/int): 0 - Specifies the maximum TTL for the leases associated with this role. Accepts time suffixed strings (1h) or an integer number of seconds. Defaults to system/mount default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also The TTL General Case.

»Sample Creation Statement

  "database_name": "admin",
  "roles": [
      "databaseName": "admin",
      "roleName": "atlasAdmin"
      "collectionName": "acollection",
      "roleName": "read"
  "scopes": [
      "name": "a-cluster",
      "type": "CLUSTER"
{  "database_name": "admin",  "roles": [    {      "databaseName": "admin",      "roleName": "atlasAdmin"    },    {      "collectionName": "acollection",      "roleName": "read"    }  ],  "scopes": [    {      "name": "a-cluster",      "type": "CLUSTER"    }  ]}