Grants access to the specified project for the specified access role. To use this resource, the requesting Service Account or API Key must have the Project Owner role. This API endpoint is one step in a procedure to create unified access for MongoDB Cloud services. This is not required for GCP service account access.
Unique 24-hexadecimal digit string that identifies your project. Use the /groups endpoint to retrieve all projects to which the authenticated user has access.
NOTE: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.
Format should match the following pattern: ^([a-f0-9]{24})$.
Unique 24-hexadecimal digit string that identifies the role.
Format should match the following pattern: ^([a-f0-9]{24})$.
Flag that indicates whether Application wraps the response in an envelope JSON object. Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query. Endpoints that return a list of results use the results object as an envelope. Application adds the status parameter to the response body.
Default value is false.
Flag that indicates whether the response body should be in the prettyprint format.
Default value is false.
Grants access to the specified project for the specified access role.
Details that describe the features linked to the Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Human-readable label that identifies the cloud provider of the role.
Value is AWS.
Amazon Resource Name (ARN) that identifies the Amazon Web Services (AWS) Identity and Access Management (IAM) role that MongoDB Cloud assumes when it accesses resources in your AWS account.
Minimum length is 20, maximum length is 2048.
Details that describe the features linked to the Azure Service Principal.
Human-readable label that identifies the cloud provider of the role.
Value is AZURE.
Azure Active Directory Application ID of Atlas. This field is optional and will be derived from the Azure subscription if not provided.
UUID string that identifies the Azure Service Principal.
UUID String that identifies the Azure Active Directory Tenant ID.
OK
Details that describe the features linked to the Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Human-readable label that identifies the cloud provider of the role.
Amazon Resource Name that identifies the Amazon Web Services (AWS) user account that MongoDB Cloud uses when it assumes the Identity and Access Management (IAM) role.
Minimum length is 20, maximum length is 2048.
Unique external ID that MongoDB Cloud uses when it assumes the IAM role in your Amazon Web Services (AWS) account.
Date and time when someone authorized this role for the specified cloud service provider. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
Date and time when someone created this role for the specified cloud service provider. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
List that contains application features associated with this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Details that describe the Atlas Data Lakes linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ATLAS_DATA_LAKE.
Identifying characteristics about the data lake linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Details that describe the Atlas log integration linked to this cloud provider access role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ATLAS_LOG_INTEGRATION.
Identifying characteristics about the Atlas log integration linked to this cloud provider access role.
Unique 24-hexadecimal digit string that identifies the Atlas log integration configuration.
Format should match the following pattern: ^([a-f0-9]{24})$.
Unique 24-hexadecimal digit string that identifies your project.
Format should match the following pattern: ^([a-f0-9]{24})$.
Human-readable label that identifies the sink, such as an S3/GCS bucket or Azure container name.
Details that describe the Key Management Service (KMS) linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ENCRYPTION_AT_REST.
Object that contains the identifying characteristics of the Amazon Web Services (AWS) Key Management Service (KMS). This field always returns a null value.
Details that describe the Amazon Web Services (AWS) Simple Storage Service (S3) export buckets linked to this AWS Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is EXPORT_SNAPSHOT.
Identifying characteristics about the Amazon Web Services (AWS) Simple Storage Service (S3) export bucket linked to this AWS Identity and Access Management (IAM) role.
Unique 24-hexadecimal digit string that identifies the AWS S3 bucket to which you export your snapshots.
Format should match the following pattern: ^([a-f0-9]{24})$.
Unique 24-hexadecimal digit string that identifies your project.
Format should match the following pattern: ^([a-f0-9]{24})$.
Details that describe the Amazon Web Services (AWS) Simple Storage Service (S3) export buckets linked to this AWS Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is PUSH_BASED_LOG_EXPORT.
Identifying characteristics about the Amazon Web Services (AWS) Simple Storage Service (S3) export bucket linked to this AWS Identity and Access Management (IAM) role.
Amazon Resource Name (ARN) that identifies the Amazon Web Services (AWS) Identity and Access Management (IAM) role that MongoDB Cloud assumes when it accesses resources in your AWS account.
Minimum length is 20, maximum length is 2048.
Unique 24-hexadecimal digit string that identifies the role.
Format should match the following pattern: ^([a-f0-9]{24})$.
Details that describe the features linked to the Azure Service Principal.
Human-readable label that identifies the cloud provider of the role.
Value is AZURE.
Unique 24-hexadecimal digit string that identifies the role.
Format should match the following pattern: ^([a-f0-9]{24})$.
Azure Active Directory Application ID of Atlas. This field is optional and will be derived from the Azure subscription if not provided.
Date and time when this Azure Service Principal was created. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
List that contains application features associated with this Azure Service Principal.
Details that describe the Atlas Data Lakes linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ATLAS_DATA_LAKE.
Identifying characteristics about the data lake linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Details that describe the Atlas log integration linked to this cloud provider access role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ATLAS_LOG_INTEGRATION.
Identifying characteristics about the Atlas log integration linked to this cloud provider access role.
Unique 24-hexadecimal digit string that identifies the Atlas log integration configuration.
Format should match the following pattern: ^([a-f0-9]{24})$.
Unique 24-hexadecimal digit string that identifies your project.
Format should match the following pattern: ^([a-f0-9]{24})$.
Human-readable label that identifies the sink, such as an S3/GCS bucket or Azure container name.
Details that describe the Key Management Service (KMS) linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ENCRYPTION_AT_REST.
Object that contains the identifying characteristics of the Amazon Web Services (AWS) Key Management Service (KMS). This field always returns a null value.
Details that describe the Amazon Web Services (AWS) Simple Storage Service (S3) export buckets linked to this AWS Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is EXPORT_SNAPSHOT.
Identifying characteristics about the Amazon Web Services (AWS) Simple Storage Service (S3) export bucket linked to this AWS Identity and Access Management (IAM) role.
Unique 24-hexadecimal digit string that identifies the AWS S3 bucket to which you export your snapshots.
Format should match the following pattern: ^([a-f0-9]{24})$.
Unique 24-hexadecimal digit string that identifies your project.
Format should match the following pattern: ^([a-f0-9]{24})$.
Details that describe the Amazon Web Services (AWS) Simple Storage Service (S3) export buckets linked to this AWS Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is PUSH_BASED_LOG_EXPORT.
Identifying characteristics about the Amazon Web Services (AWS) Simple Storage Service (S3) export bucket linked to this AWS Identity and Access Management (IAM) role.
Date and time when this Azure Service Principal was last updated. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
UUID string that identifies the Azure Service Principal.
UUID String that identifies the Azure Active Directory Tenant ID.
Details that describe the features linked to the GCP Service Account.
Human-readable label that identifies the cloud provider of the role.
Value is GCP.
Date and time when this Google Service Account was created. This parameter expresses its value in the ISO 8601 timestamp format in UTC.
List that contains application features associated with this Google Service Account.
Details that describe the Atlas Data Lakes linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ATLAS_DATA_LAKE.
Identifying characteristics about the data lake linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Details that describe the Atlas log integration linked to this cloud provider access role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ATLAS_LOG_INTEGRATION.
Identifying characteristics about the Atlas log integration linked to this cloud provider access role.
Unique 24-hexadecimal digit string that identifies the Atlas log integration configuration.
Format should match the following pattern: ^([a-f0-9]{24})$.
Unique 24-hexadecimal digit string that identifies your project.
Format should match the following pattern: ^([a-f0-9]{24})$.
Human-readable label that identifies the sink, such as an S3/GCS bucket or Azure container name.
Details that describe the Key Management Service (KMS) linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is ENCRYPTION_AT_REST.
Object that contains the identifying characteristics of the Amazon Web Services (AWS) Key Management Service (KMS). This field always returns a null value.
Details that describe the Amazon Web Services (AWS) Simple Storage Service (S3) export buckets linked to this AWS Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is EXPORT_SNAPSHOT.
Identifying characteristics about the Amazon Web Services (AWS) Simple Storage Service (S3) export bucket linked to this AWS Identity and Access Management (IAM) role.
Unique 24-hexadecimal digit string that identifies the AWS S3 bucket to which you export your snapshots.
Format should match the following pattern: ^([a-f0-9]{24})$.
Unique 24-hexadecimal digit string that identifies your project.
Format should match the following pattern: ^([a-f0-9]{24})$.
Details that describe the Amazon Web Services (AWS) Simple Storage Service (S3) export buckets linked to this AWS Identity and Access Management (IAM) role.
Human-readable label that describes one MongoDB Cloud feature linked to this Amazon Web Services (AWS) Identity and Access Management (IAM) role.
Value is PUSH_BASED_LOG_EXPORT.
Identifying characteristics about the Amazon Web Services (AWS) Simple Storage Service (S3) export bucket linked to this AWS Identity and Access Management (IAM) role.
Email address for the Google Service Account created by Atlas.
Format should match the following pattern: ^mongodb-atlas-[0-9a-z]{16}@p-[0-9a-z]{24}.iam.gserviceaccount.com$.
Unique 24-hexadecimal digit string that identifies the role.
Format should match the following pattern: ^([a-f0-9]{24})$.
Provision status of the service account.
Values are IN_PROGRESS, COMPLETE, FAILED, or NOT_INITIATED.
Bad Request.
Bad request detail.
Describes the specific conditions or reasons that cause each type of error.
HTTP status code returned with this error.
Application error code returned with this error.
Parameters used to give more information about the error.
Application error message returned with this error.
Unauthorized.
Bad request detail.
Describes the specific conditions or reasons that cause each type of error.
HTTP status code returned with this error.
Application error code returned with this error.
Parameters used to give more information about the error.
Application error message returned with this error.
Forbidden.
Bad request detail.
Describes the specific conditions or reasons that cause each type of error.
HTTP status code returned with this error.
Application error code returned with this error.
Parameters used to give more information about the error.
Application error message returned with this error.
Not Found.
Bad request detail.
Describes the specific conditions or reasons that cause each type of error.
HTTP status code returned with this error.
Application error code returned with this error.
Parameters used to give more information about the error.
Application error message returned with this error.
Conflict.
Bad request detail.
Describes the specific conditions or reasons that cause each type of error.
HTTP status code returned with this error.
Application error code returned with this error.
Parameters used to give more information about the error.
Application error message returned with this error.
Too Many Requests.
The maximum number of requests that a user can make within a specific time window.
The number of requests remaining in the current rate limit window before the limit is reached.
The minimum time you should wait, in seconds, before retrying the API request. This header might be returned for 429 or 503 error responses.
Bad request detail.
Describes the specific conditions or reasons that cause each type of error.
HTTP status code returned with this error.
Application error code returned with this error.
Parameters used to give more information about the error.
Application error message returned with this error.
Internal Server Error.
Bad request detail.
Describes the specific conditions or reasons that cause each type of error.
HTTP status code returned with this error.
Application error code returned with this error.
Parameters used to give more information about the error.
Application error message returned with this error.
atlas api cloudProviderAccess authorizeProviderAccessRole --helpimport (
"os"
"context"
"log"
sdk "go.mongodb.org/atlas-sdk/v20240530001/admin"
)
func main() {
ctx := context.Background()
clientID := os.Getenv("MONGODB_ATLAS_CLIENT_ID")
clientSecret := os.Getenv("MONGODB_ATLAS_CLIENT_SECRET")
// See https://dochub.mongodb.org/core/atlas-go-sdk-oauth
client, err := sdk.NewClient(sdk.UseOAuthAuth(clientID, clientSecret))
if err != nil {
log.Fatalf("Error: %v", err)
}
params = &sdk.AuthorizeGroupCloudProviderAccessRoleApiParams{}
sdkResp, httpResp, err := client.CloudProviderAccessApi.
AuthorizeGroupCloudProviderAccessRoleWithParams(ctx, params).
Execute()
}
curl --include --header "Authorization: Bearer ${ACCESS_TOKEN}" \
--header "Accept: application/vnd.atlas.2024-05-30+json" \
--header "Content-Type: application/json" \
-X PATCH "https://cloud.mongodb.com/api/atlas/v2/groups/{groupId}/cloudProviderAccess/{roleId}" \
-d '{ <Payload> }'curl --user "${PUBLIC_KEY}:${PRIVATE_KEY}" \
--digest --include \
--header "Accept: application/vnd.atlas.2024-05-30+json" \
--header "Content-Type: application/json" \
-X PATCH "https://cloud.mongodb.com/api/atlas/v2/groups/{groupId}/cloudProviderAccess/{roleId}" \
-d '{ <Payload> }'{
"providerName": "AWS",
"iamAssumedRoleArn": "arn:aws:iam::123456789012:root"
}{
"providerName": "AZURE",
"atlasAzureAppId": "string",
"servicePrincipalId": "string",
"tenantId": "string"
}{
"providerName": "GCP"
}# Headers
# Payload
{
"providerName": "string",
"atlasAWSAccountArn": "arn:aws:iam::772401394250:role/my-test-aws-role",
"atlasAssumedRoleExternalId": "string",
"authorizedDate": "2026-05-04T09:42:00Z",
"createdDate": "2026-05-04T09:42:00Z",
"featureUsages": [
{
"featureType": "ATLAS_DATA_LAKE",
"featureId": {
"groupId": "32b6e34b3d91647abb20e7b8",
"name": "string"
}
}
],
"iamAssumedRoleArn": "arn:aws:iam::123456789012:root",
"roleId": "32b6e34b3d91647abb20e7b8"
}# Headers
# Payload
{
"providerName": "AZURE",
"_id": "32b6e34b3d91647abb20e7b8",
"atlasAzureAppId": "string",
"createdDate": "2026-05-04T09:42:00Z",
"featureUsages": [
{
"featureType": "ATLAS_DATA_LAKE",
"featureId": {
"groupId": "32b6e34b3d91647abb20e7b8",
"name": "string"
}
}
],
"lastUpdatedDate": "2026-05-04T09:42:00Z",
"servicePrincipalId": "string",
"tenantId": "string"
}# Headers
# Payload
{
"providerName": "GCP",
"createdDate": "2026-05-04T09:42:00Z",
"featureUsages": [
{
"featureType": "ATLAS_DATA_LAKE",
"featureId": {
"groupId": "32b6e34b3d91647abb20e7b8",
"name": "string"
}
}
],
"gcpServiceAccountForAtlas": "string",
"roleId": "32b6e34b3d91647abb20e7b8",
"status": "IN_PROGRESS"
}{
"detail": "(This is just an example, the exception may not be related to this endpoint) No provider AWS exists.",
"error": 400,
"errorCode": "VALIDATION_ERROR",
"reason": "Bad Request"
}{
"detail": "(This is just an example, the exception may not be related to this endpoint)",
"error": 401,
"errorCode": "NOT_ORG_GROUP_CREATOR",
"reason": "Unauthorized"
}{
"detail": "(This is just an example, the exception may not be related to this endpoint)",
"error": 403,
"errorCode": "CANNOT_CHANGE_GROUP_NAME",
"reason": "Forbidden"
}{
"detail": "(This is just an example, the exception may not be related to this endpoint) Cannot find resource AWS",
"error": 404,
"errorCode": "RESOURCE_NOT_FOUND",
"reason": "Not Found"
}{
"detail": "(This is just an example, the exception may not be related to this endpoint) Cannot delete organization link while there is active migration in following project ids: 60c4fd418ebe251047c50554",
"error": 409,
"errorCode": "CANNOT_DELETE_ORG_ACTIVE_LIVE_MIGRATION_ATLAS_ORG_LINK",
"reason": "Conflict"
}{
"detail": "(This is just an example, the exception may not be related to this endpoint)",
"error": 429,
"errorCode": "RATE_LIMITED",
"reason": "Too Many Requests"
}{
"detail": "(This is just an example, the exception may not be related to this endpoint)",
"error": 500,
"errorCode": "UNEXPECTED_ERROR",
"reason": "Internal Server Error"
}