Docs Menu

Docs HomeMongoDB Atlas Kubernetes Operator

Configure Federated Authentication from Kubernetes

On this page

  • Prerequisites
  • Update an Organization Configuration

Atlas Kubernetes Operator supports configuring federated authentication for your Atlas organization. To configure federated authentication through the Atlas Kubernetes Operator, you must specify and update the AtlasFederatedAuth Custom Resource.

When you create the AtlasFederatedAuth custom resource, Atlas Kubernetes Operator uses the Federated Authentication API Resource to update the organization configuration for the federation. In the organization configuration, you specify federation settings for your Atlas organization such as organization and role mappings.

Before you can use Atlas Kubernetes Operator to configure federated authentication, you must have:

  • An existing identity provider (IdP) linked to Atlas. To learn how to link an IdP to Atlas, see Manage Identity Providers.

  • A secret with API keys that Atlas Kubernetes Operator can use to connect to Atlas. The API keys must have the Organization Owner role.

  • At least one role within an active Atlas organization or the projects in the organization.

To configure federated authentication through the Atlas Kubernetes Operator, update the organization configuration for your federation by specifying the AtlasFederatedAuth Custom Resource.

The following example configures an AtlasFederatedAuth custom resource that does the following:

  • Enables federated authentication for the organization linked to the specified secret.

  • Adds my-org-domain.com as an approved domain.

  • Enables domain restriction for the organization.

  • Disables debugging for SSO.

  • Grants the Organization Member role to users after authenticating.

  • Maps the Organization Owner role for the organization and applies the role mapping to an IdP group named org-admin.

  • Maps the Organization Project Creator and Project Owner roles for a project in the organization named dev-project and applies the role mapping to an IdP group named dev-team.

To learn more, see Parameters.

Note

The spec.roleMappings.roleAssignments parameter must include at least one organization role within the current organization or the projects in the organization.

Example:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasFederatedAuth
metadata:
name: atlas-default-federated-auth
namespace: mongodb-atlas-system
spec:
enabled: true
connectionSecretRef:
name: my-org-secret
namespace: mongodb-atlas-system
domainAllowList:
- my-org-domain.com
domainRestrictionEnabled: true
ssoDebugEnabled: false
postAuthRoleGrants:
- ORG_MEMBER
roleMappings:
- externalGroupName: org-admin
roleAssignments:
- role: ORG_OWNER
- externalGroupName: dev-team
roleAssignments:
- role: ORG_GROUP_CREATOR
- projectName: dev-project
role: GROUP_OWNER
EOF

To check on the status of the update process, run the following command:

kubectl get atlasfederatedauth -o yaml

Atlas Kubernetes Operator returns the custom resource and includes a status section that resembles the following example:

status:
conditions:
- type: Ready
status: True
- type: RolesReady
status: True
- type: UsersReady
status: True

To learn about the available parameters for this resource, see AtlasFederatedAuth Custom Resource.

← Encrypt Data Using a Key Management Service