To connect to the Atlas Administration API, Atlas Kubernetes Operator reads the organization ID and credentials from Atlas Kubernetes Operator secrets. You can authenticate using API keys or Service Accounts. You can also configure the following features:
To learn more about creating an Atlas account, see Register and Log in to Atlas.
Atlas Kubernetes Operator Secrets
Depending on your configuration, Atlas Kubernetes Operator reads from one of the following Atlas Kubernetes Operator secrets:
Scope | Location | Description |
|---|---|---|
Global | Atlas Kubernetes Operator uses this secret data to connect to the Atlas Administration API unless the
The default name of the Atlas Kubernetes Operator deployment is | |
Project | Atlas Kubernetes Operator secret referenced with spec.connectionSecretRef.name in the By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the | Atlas Kubernetes Operator uses this secret data to connect to the Atlas Administration API for any If you do not specify spec.connectionSecretRef.name, Atlas Kubernetes Operator uses the Atlas Kubernetes Operator secrets per project allow for more granular access. You may want a single set of credentials to have access to a single Atlas project. |
Parameters
Both global and project secrets require the following information:
Parameter | Description |
|---|---|
| Unique 24-digit hexadecimal string used to identify your Atlas organization. |
| Public part of the API key. |
| Private part of the API key. |
Parameter | Description |
|---|---|
| Unique 24-digit hexadecimal string used to identify your Atlas organization. |
| Client ID of the Service Account. |
| Client secret of the Service Account. You cannot retrieve this value after creation. |
To learn more about Service Accounts, see Configure Access to Atlas Using Service Accounts.
Prerequisites
Choose one of the following authentication methods:
You need the following public API key, private API key, and the organization ID information to configure Atlas Kubernetes Operator access to Atlas.
If you want Atlas Kubernetes Operator to create a new Atlas project, Grant Programmatic Access to an Organization. If your organization requires an IP access list for the Atlas Administration API, you must also configure the API access list.
Important
You must assign the API key the Organization Project Creator organization role or higher.
If you want to work with an existing Atlas project, Add Project Access from a Project. If your organization requires an IP access list for the Atlas Administration API, you must also configure the API access list.
Important
You must assign the API key the Project Owner project role.
You need a Service Account with the appropriate roles and the organization ID to configure Atlas Kubernetes Operator access to Atlas.
If you want Atlas Kubernetes Operator to create a new Atlas project, create a Service Account with the Organization Project Creator role or higher.
If you want to work with an existing Atlas project, create a Service Account with the Project Owner role.
To learn how to create a Service Account, see Service Accounts Overview.
Procedure
To configure Atlas Kubernetes Operator access to Atlas, create a secret with your credentials. Choose the tab that matches your preferred authentication method:
For a
globalAtlas Kubernetes Operator secret, run the following commands:Note
The name of the
globalAtlas Kubernetes Operator secret must conform to the predefined format. The default name of the Atlas Kubernetes Operator deployment ismongodb-atlas-operator. So, the secret should be namedmongodb-atlas-operator-api-key.kubectl create secret generic mongodb-atlas-operator-api-key \ --from-literal="orgId=<the_atlas_organization_id>" \ --from-literal="publicApiKey=<the_atlas_api_public_key>" \ --from-literal="privateApiKey=<the_atlas_api_private_key>" \ -n <operator_namespace> kubectl label secret mongodb-atlas-operator-api-key atlas.mongodb.com/type=credentials -n mongodb-atlas-system For a
projectAtlas Kubernetes Operator secret, run the following commands:kubectl create secret generic my-project-connection \ --from-literal="orgId=<the_atlas_organization_id>" \ --from-literal="publicApiKey=<the_atlas_api_public_key>" \ --from-literal="privateApiKey=<the_atlas_api_private_key>" \ -n <atlas_project_namespace> kubectl label secret my-project-connection atlas.mongodb.com/type=credentials -n <atlas_project_namespace>
For a
globalAtlas Kubernetes Operator secret, run the following commands:Note
The name of the
globalAtlas Kubernetes Operator secret must conform to the predefined format. The default name of the Atlas Kubernetes Operator deployment ismongodb-atlas-operator. So, the secret should be namedmongodb-atlas-operator-service-account.kubectl create secret generic mongodb-atlas-operator-service-account \ --from-literal="orgId=<the_atlas_organization_id>" \ --from-literal="clientId=<the_service_account_client_id>" \ --from-literal="clientSecret=<the_service_account_client_secret>" \ -n <operator_namespace> kubectl label secret mongodb-atlas-operator-service-account atlas.mongodb.com/type=credentials -n mongodb-atlas-system For a
projectAtlas Kubernetes Operator secret, run the following commands:kubectl create secret generic my-project-connection \ --from-literal="orgId=<the_atlas_organization_id>" \ --from-literal="clientId=<the_service_account_client_id>" \ --from-literal="clientSecret=<the_service_account_client_secret>" \ -n <atlas_project_namespace> kubectl label secret my-project-connection atlas.mongodb.com/type=credentials -n <atlas_project_namespace>
To learn more about configuring Service Accounts with Atlas Kubernetes Operator, see Configure Access to Atlas Using Service Accounts.