Docs Menu
Docs Home
/
MongoDB Cloud Manager
/ /

Rotate Automation Password with the API

On this page

  • Prerequisites
  • Variables for Automation Config API Resources
  • Procedure

You can programmatically rotate the automation user's password by updating a project's automation configuration.

This page describes the following process to rotate the automation user's password using the Cloud Manager API:

  1. Set auth.newAutoPwd and leave auth.autoPwd with its current password.

  2. Wait for the goal state.

  3. auth.newAutoPwd copies over the auth.autoPwd password automatically.

You can set this option only when you include SCRAM-SHA-1 or SCRAM-SHA-256 as one of the authentication mechanisms for the Automation in auth.autoAuthMechanisms.

The API resources use one or more of these variables. Replace these variables with your desired values before calling these API resources.

Name
Type
Description
PUBLIC-KEY
string
Your public API Key for your API credentials.
PRIVATE-KEY
string
Your private API Key for your API credentials.
cloud.mongodb.com
string
URL of your Cloud Manager instance.
GROUP-ID
string
Unique identifier of your project from your project settings.
CLUSTER-ID
string
Unique identifier of your cluster.
1
  1. Use the automationConfig resource to retrieve the configuration. Issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.

    curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
    --request GET "https://cloud.mongodb.com/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true" \
    --output currentAutomationConfig.json
  2. Validate the downloaded Automation Configuration file.

    Compare the version field of the currentAutomationConfig.json with that of the Automation Configuration backup file, mms-cluster-config-backup.json. The version value is the last element in both JSON documents. You can find this file on any host running the MongoDB Agent at:

    • Linux and macOS: /var/lib/mongodb-mms-automation/mms-cluster-config-backup.json

    • Windows: %SystemDrive%\MMSAutomation\versions\mms-cluster-config-backup.json

    If the version values match, you are working with the current version of the Automation Configuration file.

2

Replace the variables in the following command and run it:

sed -e "/autoPwd/a\\ \"newAutoPwd\" : \"<NEW_OPS_MANAGER_AUTOMATION_PASSWORD>\"," -e 's/ "version" : <CURRENT_AUTOMATION_CONFIGURATION_VERSION>/ "version" : <NEW_AUTOMATION_CONFIGURATION_VERSION>/' currentAutomationConfig.json > modifiedAutomationConfig.json
Name
Description
<NEW_OPS_MANAGER_AUTOMATION_PASSWORD>
Specify the new Automation password.
<CURRENT_AUTOMATION_CONFIGURATION_VERSION>
Specify the current Automation version. To check your current Automation version, see Get the Automation Configuration.
<NEW_AUTOMATION_CONFIGURATION_VERSION>
Specify the current Automation version incremented by 1. For example, if you have a current Automation version of 4, the new Automation version should be 5.
3

Use the automationConfig resource to send the updated automation configuration.

Issue the following command, pointing to the modifiedAutomationConfig.json file created in the previous step, which contains the updated configuration document. Replace the placeholders with the Variables for Automation Config API Resources.

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--header "Content-Type: application/json"
--request PUT "https://cloud.mongodb.com/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true" \
--data '@modifiedAutomationConfig.json'

Upon successful update of the configuration, the API returns the HTTP 200 OK status code to indicate the request has succeeded.

4

Retrieve the automation configuration from Cloud Manager and confirm it contains the changes. To retrieve the configuration, issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--request GET "https://cloud.mongodb.com/api/public/v1.0/groups/{PROJECT-ID}/automationConfig?pretty=true"

Note

The Automation version automatically increments two times. For example, if you pushed the new Automation version as 5, the new Automation version after all changes is 7. The Automation updates the Automation user password on all managed MongoDB Server deployments.

5

Use the automationStatus resource to retrieve the deployment status. Issue the following command, replacing the placeholders with the Variables for Automation Config API Resources.

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--request GET "https://cloud.mongodb.com/api/public/v1.0/groups/{PROJECT-ID}/automationStatus?pretty=true"

Confirm that the values of all the lastGoalVersionAchieved fields in the processes array match the goalVersion field. To learn about deployment status, see Get Automation Status of Latest Plan.

Back

Rotate a Key File with the API