You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've been using the vault mongo database plugin for dynamic secret for a while and it all works fine. However after we migrated some to mongo atlas and started to use mongo atlas database plugin, we started to run into dynamic role name creation collisions. We are getting errors: 409 (request "Conflict") A user with username v-xxxxxxxxxxxxxxx-a9 already exists
Comparing with mongo database plugin which username it generated can be as long as 65 chars, the current mongo atlas plugin capped it at 20 chars. While if all 20 chars are used for randomization is probably ok to avoid some level of potential collision, however with the current code design of role name capped at 15 chars long, plus credsutil's leading v and the separating -s, this leaves only 2 chars left for a dynamic username to be different. And with a high number of replica pods requirement we have, this collision will happen quite often.
Could you help to resolve this by either:
Adding the pre-validation within vault to check if any username already been created before calling Atlas to create user.
Reduce the capped role name number from 15 chars to a smaller number.
Bump up the max length from 20 to a larger number.
For now, we have to cut our role name shorter to a non human readable name to overcome the issue, we'd like to see this get fixed for the long term as the fix looks straightforward to do for now before you introducing the function allowing user to customize username length. Thank you!
The text was updated successfully, but these errors were encountered:
Hi team,
We've been using the vault mongo database plugin for dynamic secret for a while and it all works fine. However after we migrated some to mongo atlas and started to use mongo atlas database plugin, we started to run into dynamic role name creation collisions. We are getting errors:
409 (request "Conflict") A user with username v-xxxxxxxxxxxxxxx-a9 already exists
Comparing with mongo database plugin which username it generated can be as long as 65 chars, the current mongo atlas plugin capped it at 20 chars. While if all 20 chars are used for randomization is probably ok to avoid some level of potential collision, however with the current code design of role name capped at 15 chars long, plus credsutil's leading
v
and the separating-
s, this leaves only 2 chars left for a dynamic username to be different. And with a high number of replica pods requirement we have, this collision will happen quite often.Could you help to resolve this by either:
For now, we have to cut our role name shorter to a non human readable name to overcome the issue, we'd like to see this get fixed for the long term as the fix looks straightforward to do for now before you introducing the function allowing user to customize username length. Thank you!
The text was updated successfully, but these errors were encountered: