Atlas CloudFormation resources fails on user creation in CDK

Nikita_Levi · October 9, 2023, 9:14am

Creating Atlas cluster cloudformation resource with CDK fails on the database user creation. Is something missing or it is a configuration on the organization:

"Error getting resource : POST https://cloud.mongodb.com/api/atlas/v1.0/groups/6523c0dd3746682b04c83c9b/databaseUsers: 400 (request "ATLAS_INVALID_AUTH_SETTINGS") Invalid authentication settings. Users
cannot be configured for multiple authentication mechanisms (SCRAM, MONGODB_AWS)."

CDK code snippet:

                .dbUserProps(DatabaseUserProps.builder()
                        .awsiamType(CfnDatabaseUserPropsAwsiamType.ROLE)
                        .username("role name")
                        .databaseName("admin")
                        .roles(List.of(RoleDefinition.builder()
                                .databaseName("admin")
                                .roleName("readWriteAnyDatabase")
                                .build()))
                        .build())

Aasawari · October 12, 2023, 6:37am

Hi @Nikita_Levi and welcome to MongoDB community forums!!

Based on the above error message, it looks like you are trying to set the IAM role while creating the user.
As mentioned in the API documentation, you would need to set the ARN in the username section.

Please let us know if this works.
If not, could you help me with the documentation you are referring to create the user?

Warm regards
Aasawari

Darmadeja_Venkatakrishnan · October 20, 2023, 8:02pm

Hi @Aasawari , we facing the same issue while adding an “IAM Role” as a Database User. We are following this documentation. https://github.com/mongodb/mongodbatlas-cloudformation-resources/blob/master/cfn-resources/database-user/README.md

This is the template that’s expected (awsIamUser) and the template that’s created by our stack is almost the same template.

github.com

mongodb/mongodbatlas-cloudformation-resources/blob/master/cfn-resources/database-user/test/databaseuser.sample-template.json

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Returns all database users that belong to the specified project. To use this resource, the requesting API Key must have the Project Read Only role. This resource doesn't require the API Key to have an Access List.",
  "Parameters": {
    "ProjectId": {
      "Type": "String",
      "Description": "",
      "ConstraintDescription": ""
    },
    "Profile": {
      "Type": "String",
      "Description": "",
      "ConstraintDescription": ""
    }
  },
  "Mappings": {},
  "Resources": {
    "ScramUser": {
      "Type": "MongoDB::Atlas::DatabaseUser",
      "Properties": {

This file has been truncated. show original

"MongoAtlasDatabaseUser": {
   "Type": "MongoDB::Atlas::DatabaseUser",
   "Properties": {
    "AWSIAMType": "ROLE",
    "DatabaseName": "auditLog",
    "LdapAuthType": "NONE",
    "X509Type": "NONE",
    "ProjectId": "64e9191111111118119fcfb6", //Our project ID (Updated differently)
    "Roles": [
     {
      "DatabaseName": "admin",
      "RoleName": "readAnyDatabase"
     }
    ],
    "Username": "arn:aws:iam::071429502830:role/common-insurance-auto-ame-cancelautoaohuonmainlamb-SZT2B11YOZ2M",
    "Profile": "atlasMongoDbAuditLog"
   },
   "Metadata": {
    "aws:cdk:path": "MongoAtlas-Database-Stack-us-west-2/Mongo Atlas DatabaseUser"
   }
  }

Nikita_Levi · October 26, 2023, 2:25pm

Hi @aasawari_sahasrabuddhe
The username is set to an IAM role ARN. We use Mongo Atlas CDK resources to create a new cluster: GitHub - mongodb/awscdk-resources-mongodbatlas: MongoDB Atlas AWS CDK Resources.
I see that a default user gets created together with the project - ‘atlas-user’ with SCRAM authentication method. This could be causing the error.