Docs Menu
Docs Home
/
MongoDB Atlas
/ /

Set Up Unified AWS Access

On this page

  • Overview
  • Required Access
  • Prerequisites
  • Procedure
  • Manage AWS IAM Roles

Some Atlas features, including Data Federation and Encryption at Rest, authenticate with AWS IAM roles. When Atlas accesses AWS services, assumes an IAM role.

You can set up an assumed IAM role for your Atlas account to use with the Atlas Administration API or Atlas UI if you have the Project Owner role. Atlas supports unified access only for AWS.

To set up unified AWS access, you must have Organization Owner or Project Owner access to the project.

1

To create an AWS IAM role using the Atlas CLI, run the following command:

atlas cloudProviders accessRoles aws create [options]

To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas cloudProviders accessRoles aws create.

Tip

See: Related Links

Save the AtlasAWSAccountArn and AtlasAssumedRoleExternalId field values returned by the command for use in the next step.

2
  1. Log in to your AWS Management Console.

  2. Navigate to the Identity and Access Management (IAM) service.

  3. Select Roles from the left-side navigation.

  4. Click on the existing IAM role you wish to use for Atlas access from the list of roles.

  5. Select the Trust Relationships tab.

  6. Click the Edit trust relationship button.

  7. Edit the Policy Document. Add a new Statement object with the following content.

    Note

    Replace the highlighted lines with values returned in the previous step.

    {
    "Version":"2012-10-17",
    "Statement":[
    {
    "Effect":"Allow",
    "Principal":{
    "AWS":"<atlasAWSAccountArn>"
    },
    "Action":"sts:AssumeRole",
    "Condition":{
    "StringEquals":{
    "sts:ExternalId":"<atlasAssumedRoleExternalId>"
    }
    }
    }
    ]
    }
  8. Click the Update Trust Policy button.

3

To authorize an AWS IAM role using the Atlas CLI, run the following command:

atlas cloudProviders accessRoles aws authorize <roleId> [options]

To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas cloudProviders accessRoles aws authorize.

If the command succeeds, you can use the RoleID value when configuring Atlas services that use AWS.

1

Use the API endpoint to create a new AWS IAM role. Atlas will use this role for authentication with your AWS account.

Keep the returned field values atlasAWSAccountArn and atlasAssumedRoleExternalId handy for use in the next step.

2
  1. Log in to your AWS Management Console.

  2. Navigate to the Identity and Access Management (IAM) service.

  3. Select Roles from the left-side navigation.

  4. Click on the existing IAM role you wish to use for Atlas access from the list of roles.

  5. Select the Trust Relationships tab.

  6. Click the Edit trust relationship button.

  7. Edit the Policy Document. Add a new Statement object with the following content.

    Note

    Replace the highlighted lines with values returned in the previous step.

    {
    "Version":"2012-10-17",
    "Statement":[
    {
    "Effect":"Allow",
    "Principal":{
    "AWS":"<atlasAWSAccountArn>"
    },
    "Action":"sts:AssumeRole",
    "Condition":{
    "StringEquals":{
    "sts:ExternalId":"<atlasAssumedRoleExternalId>"
    }
    }
    }
    ]
    }
  8. Click the Update Trust Policy button.

3

Use the API endpoint to authorize and configure the new IAM Assumed Role ARN. If the API call is successful, you can use the roleId value when configuring Atlas services that use AWS.

1
  1. If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. Next to the Projects menu, expand the Options menu, then click Integrations.

    The Project Integrations page displays.

2
  1. Click the Configure button in the AWS IAM Role Access panel.

    Note

    If you already have one or more roles configured, the button reads Edit.

  2. Click the Authorize an AWS IAM Role button.

  3. Read through the Overview instructions, then click Next.

  4. If you'd like to create a new AWS IAM role for use with Atlas, use the Create New Role with the AWS CLI procedure. If you have an existing AWS IAM role you want to authorize for Atlas, use the Add Trust Relationships to an Existing Role procedure.

  1. Click Create New Role with the AWS CLI to expand the next section.

  2. Copy the JSON text and save it to a file named role-trust-policy.json.

  3. Enter a name for your new AWS IAM role in the text box.

  4. If you don't already have the AWS Command Line Interface (CLI) installed, see the documentation. If you do have the AWS CLI installed, proceed to the next step.

  5. Copy the CLI command and enter it at the command prompt.

  6. If successful, the CLI command returns a JSON document with information about the newly created AWS IAM role. Locate the field named Arn and copy it into the text box labelled Enter the Role ARN in the Atlas modal window.

  7. Click Validate and Finish.

  1. Click Add Trust Relationships to an Existing Role to expand the next section.

  2. Copy the JSON trust relationship text.

  3. In your AWS web console, navigate to the Roles section of the IAM dashboard.

  4. Click on the role you want to authorize.

  5. Select the Trust relationships tab.

  6. Click the Edit trust relationship button.

  7. Replace the existing text with the JSON text you copied in step 2.

  8. Click Update Trust Policy.

  9. Copy the Role ARN and paste it in the Atlas modal window, in the text box labelled Enter the Role ARN.

  10. Click Validate and Finish.

If you cancel a procedure to authorize an AWS IAM role for use with Atlas, you can resume it where you left off.

1
  1. If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. Next to the Projects menu, expand the Options menu, then click Integrations.

    The Project Integrations page displays.

2
  1. Click the Configure button in the AWS IAM Role Access panel.

    Note

    If you already have one or more roles configured, the button reads Edit.

  2. Any roles with an ongoing authorization procedure are listed with an in progress status. Click the Resume button to resume the authorization process.

    To cancel an in-progress role authorization completely, click the Delete icon next to the in-progress role.

You can deauthorize an existing AWS IAM role from your Atlas account with the Atlas Administration API or the Atlas UI.

Note

Be sure to remove any associated Atlas services from the IAM role before you deauthorize it.

To deauthorize an AWS IAM role using the Atlas CLI, run the following command:

atlas cloudProviders accessRoles aws deauthorize <roleId> [options]

To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas cloudProviders accessRoles aws deauthorize.

Use the DELETE API endpoint described in the API documentation.

1
  1. If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. Next to the Projects menu, expand the Options menu, then click Integrations.

    The Project Integrations page displays.

2
  1. Click the Edit button in the AWS IAM Role Access panel.

  2. Click the Delete button next to the IAM role you want to deauthorize.

To authorize an AWS IAM role using the Atlas CLI, run the following command:

atlas cloudProviders accessRoles aws authorize <roleId> [options]

To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas cloudProviders accessRoles aws authorize.

You can manage AWS IAM roles using the API.

To navigate to the Atlas AWS IAM Role Access screen:

1
  1. If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. Next to the Projects menu, expand the Options menu, then click Integrations.

    The Project Integrations page displays.

2

Click the Configure button in the AWS IAM Role Access panel.

Note

If you already have one or more roles configured, the button reads Edit.

You can perform the following actions from the Atlas AWS IAM Role Access screen:

  • View the list of authorized AWS IAM roles.

    The list of roles displays the role's ARN, its time of creation, and any Atlas services configured to use the role.

  • Authorize an AWS IAM role.

    Click the Authorize an AWS IAM Role button.

    Note

    If you have an authorization in progress, the associated role has a Resume button next to it.

    For detailed instructions, see Set Up Unified AWS Access.

  • Deauthorize an AWS IAM role.

    Click the Delete button next to the role.

    Note

    Be sure to remove any associated Atlas services from the IAM role before you deauthorize it.

  • View the details of an AWS IAM role.

    Click the ellipsis (...) icon next to the role and select View Role Details.

Back

Cloud Provider Access