Authentication Using Workload Identity Federation

This version of the documentation is archived and no longer maintained. View the current documentation for up-to-date guidance on mongosync usage and instructions on how to upgrade your version of mongosync.

Starting in 1.8.1, you can use mongosync with Atlas Workload Identity Federation to authenticate connections to MongoDB clusters running on Microsoft Azure and Google Cloud Platform.

Examples

This section shows mongosync examples that use Workload Identity Federation.

In the connection string, set authMechanism to MONGODB-OIDC and set authMechanismProperties as needed:

For Microsoft Azure, set authMechanismProperties to ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>. Note: Omit TOKEN_RESOURCE if using Microsoft Azure Kubernetes Service (AKS).
For Google Cloud Platform, set authMechanismProperties to ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>.

Replace <audience> with the application or service that the access token is intended for. For more details, see Identity Provider Fields.

For details about connection string options, see Authentication Options.

Connect to MongoDB Clusters Using Microsoft Azure Instance Metadata Service

The following mongosync example connects to MongoDB clusters using Microsoft Azure Instance Metadata Service (IMDS):

./bin/mongosync \
      --logPath /var/log/mongosync \
      --cluster0 "mongodb://clusterOne01.fancyCorp.com:20020,clusterOne02.fancyCorp.com:20020,clusterOne03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:https://www.example.com" \
      --cluster1 "mongodb://clusterTwo01.fancyCorp.com:20020,clusterTwo02.fancyCorp.com:20020,clusterTwo03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:https://www.example.com"

Connect to MongoDB Clusters Using Microsoft Azure Kubernetes Service

To connect to MongoDB clusters using Microsoft Azure Kubernetes Service, define these environment variables:

Environment Variable	Description
`AZURE_TENANT_ID`	Azure tenant identifier.
`AZURE_APP_CLIENT_ID`	Azure application client identifier.
`AZURE_CLIENT_ID`	Azure client identifier of the managed identity to authenticate with.
`AZURE_FEDERATED_TOKEN_FILE`	Azure federated token file path.

For details about Azure and the variables, see the Microsoft Azure documentation.

The following mongosync example defines the environment variables and connects to MongoDB clusters:

AZURE_TENANT_ID=08206ab8-16a0-406d-85e4-2f15f5620fac \
AZURE_APP_CLIENT_ID=b6c835da-e536-425b-9405-64bc471e245b \
AZURE_CLIENT_ID=f176d4eb-7dcd-4f66-bccf-aaa316ee61fd \
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token \
./bin/mongosync \
      --logPath /var/log/mongosync \
      --cluster0 "mongodb://clusterOne01.fancyCorp.com:20020,clusterOne02.fancyCorp.com:20020,clusterOne03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure" \
      --cluster1 "mongodb://clusterTwo01.fancyCorp.com:20020,clusterTwo02.fancyCorp.com:20020,clusterTwo03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure"

TOKEN_RESOURCE isn't required for this example.

Connect to MongoDB Clusters in Google Cloud Platform

The following mongosync example connects to MongoDB clusters in Google Cloud Platform:

./bin/mongosync \
      --logPath /var/log/mongosync \
      --cluster0 "mongodb://clusterOne01.fancyCorp.com:20020,clusterOne02.fancyCorp.com:20020,clusterOne03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:https://www.example.com" \
      --cluster1 "mongodb://clusterTwo01.fancyCorp.com:20020,clusterTwo02.fancyCorp.com:20020,clusterTwo03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:https://www.example.com"

No environment variables are required for Google Cloud Platform.

Learn More

Back

Regular Expressions

oplog Sizing