MongoDB Authentication and Automation



MongoDB supports role-based authentication, so you can restrict access to your deployment for safety and security. Cloud Manager Automation makes enabling and managing your users easy.

An important note before we begin: Authentication Settings made here apply to your entire Cloud Manager group. If you are using Automation, and it’s vital that different deployments in your group have different credentials, you will have to create a new Cloud Manager group for these deployment items and import them.

Enabling Authentication

If you already have authentication enabled, follow the normal importation into Automation methodolgy, especially noting the creation of a new automation-agent user, then you can skip this section and go on to the role and user management sections below.

If you have an unauthenticated deployment:

  1. Click the “…” menu on your Deployment Page and choose “Authentication & SSL Settings”

  2. Click “Next” to get to the “Select Authentication Mechanisms” screen

  3. Select “Username/Password” and click “Next”. Click “Next” again to skip the SSL settings (a topic for this other post).

  4. Now you will see the new users that will be automatically created for you. Click “Save” to create a new automation draft with your new users.

  5. Now you just have to “Review & Deploy” and “Confirm & Deploy” as normal. Beware: Clients without authentication will fail to connect after this point. Make sure your application is ready for this change. Check your drivers’ documentation on how to enable MongoDB authentication in your application.

Role Management

Let’s start with adding a new role:

  1. Head over to your “Authorization & Roles” tab

  2. When you click the “Add Role” button in the upper-right, you will be presented with a dialog to fill out:

  3. You can even add collection-level and other privileges if you want

  4. In my case, I’ve let my reader role also be able to do certain diagnostic actions

  5. Once the role is added, you just have to do the usual “Review & Deploy”/”Confirm & Deploy” to push this role out to your group.

Once the role has been created, you can edit or remove it via the gear icon, as shown below. You can only edit custom roles, not built-in roles.


Once you have the roles you need (if you need custom roles at all), you can start creating users.

  1. Head to your “Authentication & Users” tab

  2. Create a new user via the “Add User” button in the upper-right

  3. You can choose any custom or built-in roles you wish and enter the user’s password

  4. Once the user is added, you just have to do the usual “Review & Deploy”/”Confirm & Deploy” to push this user out to your group.

Once the user has been created, you can edit or delete it via the gear. You cannot edit the built-in users for the agents.

Removing Authentication

Maybe you have moved your deployment into a private network and have decided to remove your authentication settings. Here’s how:

  1. Click the “…” menu on your Deployment page and select “Authentication & SSL Settings”
  2. Click “Next” to get to the “Authentication Mechanisms” screen and un-check “Username/Password”
  3. Click “Next” to skip the SSL settings, and then click “Save”
  4. When you next do a “Review & Deploy”/”Confirm & Deploy”, the Automation Agents will disable authentication.

All your custom roles and users will remain cached in Cloud Manager in case you wish to re-enable authentication. You can edit them even when authentication is not enabled.