Overview
You can configure the MongoDB Agent, including Automation, Monitoring, and Backup, to authenticate to MongoDB deployments using OIDC Workload Identity Federation. With OIDC, the agent uses short-lived tokens from an Identity Provider (IdP) instead of long-lived database credentials. The agent automatically refreshes these tokens before they expire.
This tutorial describes how to:
Enable OIDC authentication for your MongoDB deployment in Ops Manager.
Register an OIDC IdP configuration.
Configure the MongoDB Agent to use the OIDC connection.
Considerations
Irreversible authentication method
After you configure the MongoDB Agent for Workload Federation, you can't revert to Local Authentication.
Token refresh
The MongoDB Agent automatically refreshes OIDC tokens before they expire. Token lifetimes depend on your IdP configuration and typically range from 5 to 60 minutes.
Shared agent configuration
The OIDC configuration applies to all agent functions: Automation, Monitoring, and Backup. You don't configure each function individually.
Prerequisites
Before you configure the MongoDB Agent for OIDC authentication, enable OIDC Workload Identity Federation for your MongoDB deployment. To learn more, see Set up Workload Identity Federation with OAuth 2.0.
Procedure
To configure OIDC authentication for the MongoDB Agent:
Navigate to the Security settings.
In Ops Manager, go to your project. In the left navigation, click Deployment, click Security, then select the Settings tab.
Note
If you have not configured security for your project, a banner prompts you to set up network encryption, authentication, and authorization. Click Get Started to access the settings.
Add an OIDC Identity Provider configuration.
In the OIDC Connection and Authorization section, click + OIDC IdP Configuration.
In the OIDC Protocol Settings window, select Workload Identity Federation.
Enter the IdP details:
FieldDescriptionConfiguration Name
Prefix that identifies this IdP configuration in Ops Manager.
Issuer URI
URI of the IdP that issues access tokens.
Audience
Must match the
audclaim in the JWT that your IdP issues.Authorization Method
Select User ID or Group Membership, based on your IdP setup.
Customize User Claim
Claim that identifies the user. Defaults to
sub.Click Save Configuration.
Configure the agent connection to the deployment.
In the MongoDB Agent Connections to Deployment section, select Workload Federation.
Important
After you deploy with Workload Federation, you cannot revert the MongoDB Agent to Local Authentication.
Enter the agent authentication details:
FieldDescriptionOIDC IdP Configuration
IdP configuration the MongoDB Agent uses to authenticate. Select the configuration you created in the previous step.
User Identifier
User principal claim value. Ops Manager creates the MongoDB user as
[configuration name]/[user identifier].Authentication Method
Authentication method for the agent's IdP connection. Select Client Credentials for standard IdP integrations such as Okta, or Built-in for cloud-native workload identities on Azure or GCP.
Client ID
OAuth 2.0 client ID assigned to the agent. Required when using Client Credentials.
Client Secret
OAuth 2.0 client secret assigned to the agent. Required when using Client Credentials.
Tip
If your IdP uses a cloud-native workload identity such as Azure or GCP, select Built-in. You do not need to provide a Client ID or Client Secret.
Click Save Settings.
Review and deploy the changes.
In the Review Your Changes modal, review the deployment diff. Confirm that the diff shows
Auth Mechanisms: MONGODB-OIDCand the Workload Federation details under Auth.Confirm the deployment.
After Ops Manager applies the changes, the MongoDB Agent automatically receives the updated configuration and fetches its initial OIDC tokens from the IdP. The agent transitions to OIDC authentication without a restart.
Rotate agent credentials with zero downtime
To rotate the agent's OIDC client secret without restarting the MongoDB Agent: