Rotate Automation Password with the API
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
You can programmatically rotate the automation user's password by updating a project's automation configuration.
This page describes the following process to rotate the automation user's password using the Cloud Manager API:
Set auth.newAutoPwd and leave auth.autoPwd with its current password.
Wait for the goal state.
auth.newAutoPwd copies over the auth.autoPwd password automatically.
You can set this option only when you include SCRAM-SHA-1 or SCRAM-SHA-256 as one of the authentication mechanisms for the Automation in auth.autoAuthMechanisms.
Prerequisites
You must have access to the API. To learn more, see Configure API Access.
Your API key must have the
Project Automation Admin
orProject Owner
role.Authentication must be enabled.
Variables for Automation Config API Resources
The API resources use one or more of these variables. Replace these variables with your desired values before calling these API resources.
Name | Type | Description |
---|---|---|
PUBLIC-KEY | string | Your public API Key for your API credentials. |
PRIVATE-KEY | string | Your private API Key for your API
credentials. |
cloud.mongodb.com | string | URL of your Cloud Manager instance. |
GROUP-ID | string | Unique identifier of your project from your
project settings. |
CLUSTER-ID | string | Unique identifier of your cluster. |
Procedure
Retrieve and validate the automation configuration from Cloud Manager.
Use the automationConfig resource to retrieve the configuration. Issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ --request GET "https://cloud.mongodb.com/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true" \ --output currentAutomationConfig.json Validate the downloaded Automation Configuration file.
Compare the
version
field of thecurrentAutomationConfig.json
with that of the Automation Configuration backup file,mms-cluster-config-backup.json
. Theversion
value is the last element in both JSON documents. You can find this file on any host running the MongoDB Agent at:Linux and macOS:
/var/lib/mongodb-mms-automation/mms-cluster-config-backup.json
Windows:
%SystemDrive%\MMSAutomation\versions\mms-cluster-config-backup.json
If the
version
values match, you are working with the current version of the Automation Configuration file.
Create a new automation configuration file from the current one.
Replace the variables in the following command and run it:
sed -e "/autoPwd/a\\ \"newAutoPwd\" : \"<NEW_OPS_MANAGER_AUTOMATION_PASSWORD>\"," -e 's/ "version" : <CURRENT_AUTOMATION_CONFIGURATION_VERSION>/ "version" : <NEW_AUTOMATION_CONFIGURATION_VERSION>/' currentAutomationConfig.json > modifiedAutomationConfig.json
Name | Description |
---|---|
<NEW_OPS_MANAGER_AUTOMATION_PASSWORD> | Specify the new Automation password. |
<CURRENT_AUTOMATION_CONFIGURATION_VERSION> | Specify the current Automation version. To check your current
Automation version, see Get the Automation Configuration. |
<NEW_AUTOMATION_CONFIGURATION_VERSION> | Specify the current Automation version incremented by 1. For
example, if you have a current Automation version of 4 ,
the new Automation version should be 5 . |
Send the updated automation configuration.
Use the automationConfig resource to send the updated automation configuration.
Issue the following command, pointing to the
modifiedAutomationConfig.json
file created in the previous step,
which contains the updated configuration document. Replace the
placeholders with the Variables for Automation Config API Resources.
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ --header "Content-Type: application/json" --request PUT "https://cloud.mongodb.com/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true" \ --data '@modifiedAutomationConfig.json'
Upon successful update of the configuration, the API returns the HTTP
200 OK
status code to indicate the request has succeeded.
Confirm successful update of the automation configuration.
Retrieve the automation configuration from Cloud Manager and confirm it contains the changes. To retrieve the configuration, issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ --request GET "https://cloud.mongodb.com/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true"
Note
The Automation version automatically increments two times. For example, if you pushed the new Automation version as 5, the new Automation version after all changes is 7. The Automation updates the Automation user password on all managed MongoDB Server deployments.
Check the deployment status to ensure goal state is reached.
Use the automationStatus resource to retrieve the deployment status. Issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ --request GET "https://cloud.mongodb.com/api/public/v1.0/groups/{PROJECT-ID}/automationStatus?pretty=true"
Confirm that the values of all the lastGoalVersionAchieved
fields
in the processes
array match the goalVersion
field. To learn
about deployment status, see Get Automation Status of Latest Plan.