Vault should return users only once they can be used
Currently, the Vault Plugin immediately returns the MongoDB users after they are created in Atlas. However, they have not been rolled out to the actual nodes yet. Immediately using them on a cluster will fail.
Unfortunately MongoDB does not want to provide a fixed maximum time to wait, as the time apparently depends on many factors, including how many clusters are in a project, or if there are other changes being rolled out.
It would be a much simpler and better user experience if the Vault plugin would only return the user once it is actually usable, even if that means a longer call.
Christoph Marius
shared this idea
Hi all,
This request was first made via a Vault repo issue: https://github.com/hashicorp/vault-plugin-database-mongodbatlas/issues/10 We investigated the options with the Vault engineering team and the conclusion, from the issue is:
"We have researched the options to address this feature request and discussed it with the Vault engineering team. After this it became apparent that there is no safe and solid way to do this and it would be better to continue to function as most secrete engines do, which results in an eventually consistent experience in regard to secret creation. I encourage those who need to know when the database credential is fully available to use the status endpoint mentioned earlier in this issue, https://docs.atlas.mongodb.com/reference/api/clusters-check-operation-status/)."
Thank you,
Melissa
-
Daniele
commented
This could really use a solution.