The External Secrets Enterprise product suite is a premium product.
It requires a specific subscription. Contact us for more information.
In order to use the MongoDB User Generator, you must have the Enterprise Distribution of ESO available via ESI Agent or via our Helm chart bundle

Introduction

Managing MongoDB users manually can be error-prone and operationally expensive, especially when dealing with scoped permissions and dynamic workloads.
The MongoDB User Generator automates the creation, rotation, and deletion of MongoDB user accounts with custom roles and minimal overhead. This generator is especially useful for providing temporary access to applications, improving security posture through least-privilege principles, and removing the need for manual user provisioning.

Output Keys and Values

KeyDescription
userThe generated MongoDB username
passwordThe generated MongoDB password

Parameters

KeyDefaultDescription
database.adminDB"admin"Name of the MongoDB administrative database used to authenticate.
database.hostRequiredHostname or IP of the MongoDB instance.
database.port27017Port used to connect to the MongoDB instance.
auth.scram.usernameOptionalUsername used for SCRAM authentication.
auth.scram.secretRef.usernameSecretRefOptionalSecret reference for the SCRAM username.
auth.scram.secretRef.passwordSecretRefRequiredSecret reference for the SCRAM password.
user.nameOptionalDesired username for the MongoDB user. If not specified, one is generated.
user.rolesRequiredList of roles to assign to the user. Each role must include a name and db.

Set up

MongoDB Permissions

The SCRAM user used for authentication must have permission to create and manage other users and roles in the target database(s). This typically means having the userAdmin or userAdminAnyDatabase role in the admin database.

Generator Config

apiVersion: generators.external-secrets.io/v1alpha1
kind: MongoDB
metadata:
  name: mongodb-generator
  namespace: default
spec:
  database:
    host: mongodb.default.svc.cluster.local
    port: 27017
    adminDB: admin
  auth:
    scram:
      username: admin
      secretRef:
        usernameSecretRef:
          name: mongodb-admin-creds
          key: username
        passwordSecretRef:
          name: mongodb-admin-creds
          key: password
  user:
    name: my-app-user
    roles:
      - name: readWrite
        db: my-app-db
      - name: read
        db: analytics

ExternalSecret Config

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: mongodb-credentials
  namespace: default
spec:
  refreshInterval: 1h
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: MongoDB
          name: mongodb-generator

Using the Generated Secret

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-container
          image: my-image:latest
          env:
            - name: MONGO_USER
              valueFrom:
                secretKeyRef:
                  name: mongodb-credentials
                  key: user
            - name: MONGO_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: mongodb-credentials
                  key: password

Notes and Considerations

  • This generator currently supports only SCRAM authentication with secret-based credential references.
  • If no user.name is provided, a username is automatically generated and will follow ESO’s default randomization strategy.
  • Roles must exist in the specified database; otherwise, MongoDB will return an error.