Set Up Unified AWS Access
Overview
Some Atlas features, including Data Federation and Encryption at Rest, authenticate with AWS IAM roles. When Atlas accesses AWS services, assumes an IAM role.
You can set up an assumed IAM role for your Atlas account to use
with the Atlas Administration API or Atlas UI if you have the
Project Owner role. Atlas supports unified access only
for AWS.
Required Access
To set up unified AWS access, you must have
Organization Owner or Project Owner access to
the project.
Prerequisites
An Atlas account.
Procedure
Create a new AWS IAM role in Atlas.
To create an AWS IAM role using the Atlas CLI, run the following command:
atlas cloudProviders accessRoles aws create [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas cloudProviders accessRoles aws create.
Save the AtlasAWSAccountArn and AtlasAssumedRoleExternalId
field values returned by the command for use in the next step.
Modify your AWS IAM role trust policy.
Log in to your AWS Management Console.
Navigate to the Identity and Access Management (IAM) service.
Select Roles from the left-side navigation.
Click on the existing IAM role you wish to use for Atlas access from the list of roles.
Select the Trust Relationships tab.
Click the Edit trust relationship button.
Edit the Policy Document. Add a new
Statementobject with the following content.Note
Replace the highlighted lines with values returned in the previous step.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":"<atlasAWSAccountArn>" }, "Action":"sts:AssumeRole", "Condition":{ "StringEquals":{ "sts:ExternalId":"<atlasAssumedRoleExternalId>" } } } ] } Click the Update Trust Policy button.
Authorize the new IAM role.
To authorize an AWS IAM role using the Atlas CLI, run the following command:
atlas cloudProviders accessRoles aws authorize <roleId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas cloudProviders accessRoles aws authorize.
If the command succeeds, you can use the RoleID value when
configuring Atlas services that use AWS.
Send a POST request to the cloudProviderAccess endpoint.
Use the API endpoint to create a new AWS IAM role. Atlas will use this role for authentication with your AWS account.
Keep the returned field values atlasAWSAccountArn and
atlasAssumedRoleExternalId handy for use in the next step.
Modify your AWS IAM role trust policy.
Log in to your AWS Management Console.
Navigate to the Identity and Access Management (IAM) service.
Select Roles from the left-side navigation.
Click on the existing IAM role you wish to use for Atlas access from the list of roles.
Select the Trust Relationships tab.
Click the Edit trust relationship button.
Edit the Policy Document. Add a new
Statementobject with the following content.Note
Replace the highlighted lines with values returned in the previous step.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":"<atlasAWSAccountArn>" }, "Action":"sts:AssumeRole", "Condition":{ "StringEquals":{ "sts:ExternalId":"<atlasAssumedRoleExternalId>" } } } ] } Click the Update Trust Policy button.
Authorize the newly created IAM role.
Use the API
endpoint to authorize and configure the new IAM Assumed Role ARN.
If the API call is successful, you can use the roleId value when
configuring Atlas services that use AWS.
Begin the Setup Procedure for AWS IAM Access
In Atlas, go to the Project Integrations page.
Warning
Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Integrations.
The Project Integrations page displays.
Set up AWS IAM Access.
Click the Configure button in the AWS IAM Role Access panel.
Note
If you already have one or more roles configured, the button reads Edit.
Click the Authorize an AWS IAM Role button.
Read through the Overview instructions, then click Next.
If you'd like to create a new AWS IAM role for use with Atlas, use the Create New Role with the AWS CLI procedure. If you have an existing AWS IAM role you want to authorize for Atlas, use the Add Trust Relationships to an Existing Role procedure.
Create New Role with the AWS CLI
Click Create New Role with the AWS CLI to expand the next section.
Copy the JSON text and save it to a file named
role-trust-policy.json.Enter a name for your new AWS IAM role in the text box.
If you don't already have the AWS Command Line Interface (CLI) installed, see the documentation. If you do have the AWS CLI installed, proceed to the next step.
Copy the CLI command and enter it at the command prompt.
If successful, the CLI command returns a JSON document with information about the newly created AWS IAM role. Locate the field named Arn and copy it into the text box labelled Enter the Role ARN in the Atlas modal window.
Click Validate and Finish.
Add Trust Relationships to an Existing Role
Click Add Trust Relationships to an Existing Role to expand the next section.
Copy the JSON trust relationship text.
In your AWS web console, navigate to the Roles section of the IAM dashboard.
Click on the role you want to authorize.
Select the Trust relationships tab.
Click the Edit trust relationship button.
Replace the existing text with the JSON text you copied in step 2.
Click Update Trust Policy.
Copy the Role ARN and paste it in the Atlas modal window, in the text box labelled Enter the Role ARN.
Click Validate and Finish.
Resume an Authorization Procedure
If you cancel a procedure to authorize an AWS IAM role for use with Atlas, you can resume it where you left off.
In Atlas, go to the Project Integrations page.
Warning
Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Integrations.
The Project Integrations page displays.
Resume authorization.
Click the Configure button in the AWS IAM Role Access panel.
Note
If you already have one or more roles configured, the button reads Edit.
Any roles with an ongoing authorization procedure are listed with an
in progressstatus. Click the Resume button to resume the authorization process.To cancel an in-progress role authorization completely, click the Delete icon next to the in-progress role.
Deauthorize an Assumed IAM Role
You can deauthorize an existing AWS IAM role from your Atlas account with the Atlas Administration API or the Atlas UI.
Note
Be sure to remove any associated Atlas services from the IAM role before you deauthorize it.
To deauthorize an AWS IAM role using the Atlas CLI, run the following command:
atlas cloudProviders accessRoles aws deauthorize <roleId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas cloudProviders accessRoles aws deauthorize.
Use the DELETE API endpoint described in the
API documentation.
In Atlas, go to the Project Integrations page.
Warning
Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Integrations.
The Project Integrations page displays.
Manage AWS IAM Roles
To authorize an AWS IAM role using the Atlas CLI, run the following command:
atlas cloudProviders accessRoles aws authorize <roleId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas cloudProviders accessRoles aws authorize.
You can manage AWS IAM roles using the API.
To navigate to the Atlas AWS IAM Role Access screen:
In Atlas, go to the Project Integrations page.
Warning
Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Integrations.
The Project Integrations page displays.
Configure the Atlas AWS IAM Role Access.
Click the Configure button in the AWS IAM Role Access panel.
Note
If you already have one or more roles configured, the button reads Edit.
You can perform the following actions from the Atlas AWS IAM Role Access screen:
View the list of authorized AWS IAM roles.
The list of roles displays the role's ARN, its time of creation, and any Atlas services configured to use the role.
Authorize an AWS IAM role.
Click the Authorize an AWS IAM Role button.
Note
If you have an authorization in progress, the associated role has a Resume button next to it.
For detailed instructions, see Set Up Unified AWS Access.
Deauthorize an AWS IAM role.
Click the Delete button next to the role.
Note
Be sure to remove any associated Atlas services from the IAM role before you deauthorize it.
View the details of an AWS IAM role.
Click the ellipsis (...) icon next to the role and select View Role Details.