The Infisical Mongo Atlas dynamic secret allows you to generate Mongo Atlas Database credentials on demand based on configured role.

Prerequisite

Create a project scoped API Key with the required permission in your Mongo Atlas following the official doc.
The API Key must have permission to manage users in the project.

Set up Dynamic Secrets with Mongo Atlas

1

Open Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
2

Click on the 'Add Dynamic Secret' button

Add Dynamic Secret Button
3

Select Mongo Atlas

Dynamic Secret Modal
4

Provide the inputs for dynamic secret parameters

Secret Name
string
required
Name by which you want the secret to be referenced
Default TTL
string
required
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
Max TTL
string
required
Maximum time-to-live for a generated secret
Admin public key
string
required
The public key of your generated Atlas API Key. This acts as a username.
Admin private key
string
required
The private key of your generated Atlas API Key. This acts as a password.
Group ID
number
required
Unique 24-hexadecimal digit string that identifies your project. This is same as project id
Roles
string
required
List that provides the pairings of one role with one applicable database.
  • Database Name: Database to which the user is granted access privileges.
  • Collection: Collection on which this role applies.
  • Role Name: Human-readable label that identifies a group of privileges assigned to a database user. This value can either be a built-in role or a custom role.
    • Enum: atlasAdmin backup clusterMonitor dbAdmin dbAdminAnyDatabase enableSharding read readAnyDatabase readWrite readWriteAnyDatabase <a custom role name>.
Dynamic Secret Setup Modal
5

(Optional) Modify Access Scope

Modify Scope Modal
Username Template
string
default:"{{randomUsername}}"
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.Allowed template variables are
  • {{randomUsername}}: Random username string
  • {{unixTimestamp}}: Current Unix timestamp
  • {{identity.name}}: Name of the identity that is generating the secret
  • {{random N}}: Random string of N characters
Allowed template functions are
  • truncate: Truncates a string to a specified length
  • replace: Replaces a substring with another value
Examples:
{{randomUsername}}                              // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
{{unixTimestamp}}                               // 17490641580
{{identity.name}}                               // testuser
{{random-5}}                                    // x9k2m
{{truncate identity.name 4}}                    // test
{{replace identity.name 'user' 'replace'}}      // testreplace
Customize Scope
string
List that contains clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Instances that this database user can access. If omitted, MongoDB Cloud grants the database user access to all the clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Instances in the project.
  • Label: Human-readable label that identifies the cluster or MongoDB Atlas Data Lake that this database user can access.
  • Type: Category of resource that this database user can access.
6

Click 'Submit'

After submitting the form, you will see a dynamic secret created in the dashboard.
If this step fails, you may have to add the CA certificate.
Dynamic Secret
7

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.Dynamic Secret Dynamic SecretWhen generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.Provision Lease
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.
Once you click the Submit button, a new secret lease will be generated and the credentials for it will be shown to you.Provision Lease

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the expiration time of the lease or delete a lease before it’s set time to live. Provision Lease

Renew Leases

To extend the life of the generated dynamic secret leases past its initial time to live, simply click on the Renew button as illustrated below. Provision Lease
Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret