Overview
Learn about advanced authentication and authorization settings for database users in Atlas Data Federation, including available authentication methods. You can manage users with the Atlas CLI, the Atlas Administration API, and the Atlas UI.
Note
Atlas supports a maximum of 100 database users per Atlas project by default. If you require more than 100 database users on a project, you can use the Atlas Administration API to increase the limit. For assistance, contact Atlas support.
Required Access
To use the advanced database user configurations, you must have Organization Owner, Project Owner, or Project Database Access Admin access in Atlas.
Database Actions
Use the Atlas CLI, Atlas Administration API, or Atlas UI to manage database users for Atlas Data Federation.
Authenticate Database Users
Atlas Data Federation offers the following forms of authentication for database users:
Password: SCRAM is MongoDB's default authentication method. SCRAM requires a password for each user.
The authentication database for SCRAM-authenticated users is the
admindatabase.Note
By default, Atlas supports SCRAM-SHA-256 authentication. If you created a user before MongoDB 4.0, you must update MongoDB 4.0, update their passwords to generate SCRAM-SHA-256 credentials. You may reuse existing passwords.
When to use SCRAM:
You can use SCRAM authentication for human users and application users. For lower environments, SCRAM is a suitable authentication method. For production and higher environments, follow security best practices to keep secrets secure and short-term, such as integrating with Privileged Access Management (PAM) solutions.
X.509 Certificates: X.509 Certificates, also known as mutual TLS or mTLS, allow passwordless authentication by using a trusted certificate.
The authentication database for X.509-authenticated users is the
$externaldatabase.If you enable LDAP authorization, you can't connect to your clusters with users that authenticate with an Atlas-managed X.509 certificate. To enable LDAP and connecting to your clusters with X.509 users, see Set Up Self-Managed X.509 Certificates.
When to use X.509:
X.509 authentication is suitable for secure workload access when workload identity federation (OIDC) or AWS IAM authentication is not feasible, or when mutual authentication is required.
OIDC: OpenID Connect (OIDC) authentication enables passwordless, secretless authentication using external identity providers. Atlas supports the following types of OIDC authentication:
Workforce Identity Federation for human principals such as employees, partners, and contractors.
Workload Identity Federation for applications using external programmatic identities such as Azure Service Principals, Azure Managed Identities, and Google Service Accounts.
The authentication database for OIDC-authenticated users is the
$externaldatabase.OIDC authentication is available only on clusters which use MongoDB version 7.0 and higher.
When to use OIDC:
For human users, we recommend that you use Workforce Identity Federation with OIDC.
For application users, we recommend that you use Workload Identity Federation with OIDC for applications that run on GCP or Azure.
AWS IAM: You can create a database user which uses an AWS IAM User or Role ARN for authentication.
The authentication database for AWS IAM-authenticated users is the
$externaldatabase.When to use AWS IAM:
We recommend that you use AWS IAM authentication with IAM roles for application users running on AWS.
Add New Database Users
A project can have users with different authentication methods.
A user's authentication method is fixed at creation. To use a different authentication method, create a new user.