Docker Setup with Vault Encryption key, "token are too open"

MongoDB Percona Server for MongoDB
1

Pretty much I’m trying to configure Percona mongodb with Vault like shown in docs but I keep running in the same issue which’s when I do TokenFile and point it towards a file it keeps crashing with this error :

{“t”:{“$date”:“2025-08-25T11:32:09.219+00:00”},“s”:“F”, “c”:“STORAGE”, “id”:29120, “ctx”:“initandlisten”,“msg”:“Data-at-Rest Encryption Error”,“attr”:{“error”:{“what”:“Can’t create encryption key database”,“reason”:{“what”:“key saving failed”,“reason”:“saving the master key to the Vault server failed: permissions on /run/secrets/token are too open”},“encryptionKeyDatabaseDirectory”:“/data/db/key.db”}}}

And no matter what fix I tried doing, at the end it keeps mounting with these permissions -r–r–r-- 1 root root 28 Aug 25 09:41 /run/secrets/token
even when i tried to change it with docker’s secrets mode or make it ro ; nothing works … can someone tell me how to do it ?

2

Hi @MohamedAziz

Thanks for the question and congrats on your first post - welcome to the Percona Community!

You’re fighting against the designed behavior of Docker Secrets. Docker mounts secrets as read-only files with 0444 (-r--r--r--) permissions owned by root. You cannot change this directly. The MongoDB process, for security reasons, refuses to use a token file that is world-readable.

The solution is to create an entrypoint script that copies the secret to a new location, sets the correct permissions and ownership on the copy, and then starts MongoDB pointing to that new file.

Here’s a sample script that may help:

#!/bin/bash
set -e 
VAULT_TOKEN_SECRET_FILE="/run/secrets/token"
MONGOD_VAULT_TOKEN_FILE="/etc/mongodb-key/vault-token" # A new location


if [ -f "$VAULT_TOKEN_SECRET_FILE" ]; then
    cp "$VAULT_TOKEN_SECRET_FILE" "$MONGOD_VAULT_TOKEN_FILE"
    chown mongodb:mongodb "$MONGOD_VAULT_TOKEN_FILE"
    chmod 400 "$MONGOD_VAULT_TOKEN_FILE"
fi

exec "$@"

Then add to your Dockerfile:

ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

and in your mongod.conf:

security:
  enableEncryption: true
  vault:
    serverName: <your-vault-server-ip>
    port: 8200
    tokenFile: /etc/mongodb-key/vault-token
    secret: <path-to-your-secret-in-vault>

Hope this helps!