Hi @MohamedAziz
Thanks for the question and congrats on your first post - welcome to the Percona Community!
You’re fighting against the designed behavior of Docker Secrets. Docker mounts secrets as read-only files with 0444 (-r--r--r--) permissions owned by root. You cannot change this directly. The MongoDB process, for security reasons, refuses to use a token file that is world-readable.
The solution is to create an entrypoint script that copies the secret to a new location, sets the correct permissions and ownership on the copy, and then starts MongoDB pointing to that new file.
Here’s a sample script that may help:
#!/bin/bash
set -e
VAULT_TOKEN_SECRET_FILE="/run/secrets/token"
MONGOD_VAULT_TOKEN_FILE="/etc/mongodb-key/vault-token" # A new location
if [ -f "$VAULT_TOKEN_SECRET_FILE" ]; then
cp "$VAULT_TOKEN_SECRET_FILE" "$MONGOD_VAULT_TOKEN_FILE"
chown mongodb:mongodb "$MONGOD_VAULT_TOKEN_FILE"
chmod 400 "$MONGOD_VAULT_TOKEN_FILE"
fi
exec "$@"
Then add to your Dockerfile:
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
and in your mongod.conf:
security:
enableEncryption: true
vault:
serverName: <your-vault-server-ip>
port: 8200
tokenFile: /etc/mongodb-key/vault-token
secret: <path-to-your-secret-in-vault>
Hope this helps!