Sharing API key between different organizations

I want to create a program that restores snapshots from one organization (in a project called project1) to another organization (in a project called project2).
Hence, I thought about creating an API key in project2, and then inviting that key to project1 (following this guide https://www.mongodb.com/docs/atlas/configure-api-access/#std-label-invite-org-app-api-keys).

Unfortunately, it seems that only keys under organization1 are visible to project1.

What should I do?

Welcome to the MongoDB Community @Yuval_Lavie !

Since these are two different Atlas organisations, you should create an API key for each project and call those from your program: use project1 API key to fetch snapshots and project2 API key to restore snapshots.

Regards,
Stennie

Thank you for your answer
I’m following this API.

I’m using project2’s API key as you suggested.
The body params are clear - the target group is project 2.

What about the URL?
If I use project1 and cluster1, I get USER_CANNOT_ACCESS_ORG
And if I use project2 and cluster2, I get UNEXPECTED_ERROR “Internal Server Error”

This is my second request:


curl --user "{PROJECT2_PUBLIC}:{PROJECT2_PRIVATE}" --digest \
      --header "Accept: application/json" \
      --header "Content-Type: application/json" \
      --request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{PROJECT2}/clusters/{DEST_CLUSTER}/backup/restoreJobs?pretty=true" \
      --data '
        {
          "delivery" : {
            "methodName" : "AUTOMATED_RESTORE",
            "targetGroupId" : "{PROJECT2}",
            "targetClusterId" : "{DEST_CLUSTER}"
          },
          "snapshotId": "{SOURCE_SNAP_ID}"
        }'

I’m sorry, this is my request:

curl --user "{PROJECT2_PUBLIC}:{PROJECT2_PRIVATE}" --digest \
      --header "Accept: application/json" \
      --header "Content-Type: application/json" \
      --request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{PROJECT2}/clusters/{DEST_CLUSTER}/backup/restoreJobs" \
      --data '
       {
        "deliveryType": "automated",
        "snapshotId": "{SOURCE_SNAP_ID}",
        "targetClusterName": "{DEST_CLUSTER}",
        "targetGroupId": "{PROJECT2}"
   }''

And I get:

{"detail":"Unexpected error.","error":500,"errorCode":"UNEXPECTED_ERROR","parameters":[],"reason":"Internal Server Error"}

can you please answer? :grinning:

Hi @Yuval_Lavie,

What are the role’s associated with each of the API keys?

Additionally, is the use case to automate this procedure or are you wanting to specifically just perform a restore from Project1 (in Organization1) to Project2 (in Organization2)?

If it is for the latter, you can try following the Restore your Snapshot to an Atlas Cluster procedure. You’ll need to be a Project Owner in both organizations.

Regards,
Jason

1 Like

Hi @Jason_Tran

Each API key has a project owner role.
Actually, I was expecting that one API key would have permissions on both organizations, because the action of restoring requires permissions for accessing the source snapshot, and deploying on the dest project

I want to automate this procedure.

Hey @Jason_Tran @Stennie

This topic is really a blocker for us. We want to start automating this procedure with an API key but we can’t.
We would really appreciate if you could answer it soon :slight_smile:

Hi @Yuval_Lavie,

I am still checking to see if restore from one Organization to another Organizaiton using the Atlas Administration API is possible. It may not be possible as the all API keys exists within the Atlas Organization (which can be invited to the Projects within the same Organization). However based on my limited testing, I cannot see that the API keys and resources (snapshots in this case) of one Org can be used in another Org with its own set of API keys.

In saying so, could you provide further details on the use case regarding the automatic restore from Organization1 to another Organization2 rather than restoring from Project1 to Project2 (within the same single Organization)?

Regards,
Jason

2 Likes

Hi @Yuval_Lavie ,

I have confirmed with our engineering team that it is not currently possible to restore from one Organization to another Organization using the Atlas Administration API due to the fact that each API key belongs to only one organization.

We would be interested in understanding your use case of automating restores from Organization1 to another Organization2 rather than restoring from Project1 to Project2 (within the same single Organization) as @Jason_Tran mentioned above as that may help here.

Best regards,
Evin

2 Likes

Hi @Evin_Roesle @Jason_Tran
Thanks for your reply.

We are a data security company, which supplies our customers with analytics about their data saved in the cloud.

These days we’re expanding our support to MongoDB Atlas.
For our needs, we need to clone our customer’s cluster into our environment, which will be in our control, and our own billing (and that’s why we need it to be transferred between different organizations).

We know we can do that with user permissions (which will be invited by the customer’s project). Still, we can’t automate it (even atlasCLI asks for web authentication at the beginning).

Is it possible to support sharing API keys between different organizations?

Hey @Evin_Roesle @Jason_Tran
I’d like to have a response :slight_smile:

Hi @Yuval_Lavie ,

This is not supported today. I see that you already submitted this as a feedback on Share API key cross organizations – MongoDB Feedback Engine . These feedback ideas are seen and evaluated by the appropriate team so this is the best way to highlight ideas/suggestions to our teams so that they can be considered for prioritization.

I am not aware of any current ongoing work to enable this functionality but your feedback suggestion is the best place to see any update as we try to keep those as updated as possible.

Best regards,
Evin

2 Likes

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.