# Create One Database User in One Project

**POST /api/atlas/v1.0/groups/{groupId}/databaseUsers**

Creates one database user in the specified project. This MongoDB Cloud supports a maximum of 100 database users per project. If you require more than 100 database users on a project, contact Support. To use this resource, the requesting Service Account or API Key must have the Project Owner role, the Project Charts Admin role, Project Stream Processing Owner role, or the Project Database Access Admin role.

[Contact MongoDB Support](https://cloud.mongodb.com/support)

## Servers
- https://cloud.mongodb.com: https://cloud.mongodb.com ()


## Authentication methods
- Service accounts
- Digest auth


## Parameters

#### Path parameters
- **groupId** (string)
  Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access.

**NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.

#### Query parameters
- **envelope** (boolean)
  Flag that indicates whether Application wraps the response in an `envelope` JSON object. Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query. Endpoints that return a list of results use the results object as an envelope. Application adds the status parameter to the response body.
- **pretty** (boolean)
  Flag that indicates whether the response body should be in the prettyprint format.

## Body parameters
Content-type: application/json
Creates one database user in the specified project.
- **awsIAMType** (string)
  Human-readable label that indicates whether the new database user authenticates with the Amazon Web Services (AWS) Identity and Access Management (IAM) credentials associated with the user or the user's role.
- **databaseName** (string)
  The database against which the database user authenticates. Database users must provide both a username and authentication database to log into MongoDB. If the user authenticates with AWS IAM, x.509, LDAP, or OIDC Workload this value should be `$external`. If the user authenticates with SCRAM-SHA or OIDC Workforce, this value should be `admin`.
- **deleteAfterDate** (string(date-time))
  Date and time when MongoDB Cloud deletes the user. This parameter expresses its value in the ISO 8601 timestamp format in UTC and can include the time zone designation. You must specify a future date that falls within one week of making the Application Programming Interface (API) request.
- **description** (string)
  Description of this database user.
- **groupId** (string)
  Unique 24-hexadecimal digit string that identifies the project.
- **labels** (array[object])
  List that contains the key-value pairs for tagging and categorizing the MongoDB database user. The labels that you define do not appear in the console.
- **ldapAuthType** (string)
  Part of the Lightweight Directory Access Protocol (LDAP) record that the database uses to authenticate this database user on the LDAP host.
- **oidcAuthType** (string)
  Human-readable label that indicates whether the new database user or group authenticates with OIDC federated authentication. To create a federated authentication user, specify the value of USER in this field. To create a federated authentication group, specify the value of IDP_GROUP in this field.
- **password** (string)
  Alphanumeric string that authenticates this database user against the database specified in `databaseName`. To authenticate with SCRAM-SHA, you must specify this parameter. This parameter doesn't appear in this response.
- **roles** (array[object])
  List that provides the pairings of one role with one applicable database.
- **scopes** (array[object])
  List that contains clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Workspaces that this database user can access. If omitted, MongoDB Cloud grants the database user access to all the clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Workspaces in the project.
- **username** (string)
  Human-readable label that represents the user that authenticates to MongoDB. The format of this label depends on the method of authentication:

| Authentication Method | Parameter Needed | Parameter Value | username Format |
|---|---|---|---|
| AWS IAM | awsIAMType | ROLE | <abbr title="Amazon Resource Name">ARN</abbr> |
| AWS IAM | awsIAMType | USER | <abbr title="Amazon Resource Name">ARN</abbr> |
| x.509 | x509Type | CUSTOMER | [RFC 2253](https://tools.ietf.org/html/2253) Distinguished Name |
| x.509 | x509Type | MANAGED | [RFC 2253](https://tools.ietf.org/html/2253) Distinguished Name |
| LDAP | ldapAuthType | USER | [RFC 2253](https://tools.ietf.org/html/2253) Distinguished Name |
| LDAP | ldapAuthType | GROUP | [RFC 2253](https://tools.ietf.org/html/2253) Distinguished Name |
| OIDC Workforce | oidcAuthType | IDP_GROUP | Atlas OIDC IdP ID (found in federation settings), followed by a '/', followed by the IdP group name |
| OIDC Workload | oidcAuthType | USER | Atlas OIDC IdP ID (found in federation settings), followed by a '/', followed by the IdP user name |
| SCRAM-SHA | awsIAMType, x509Type, ldapAuthType, oidcAuthType | NONE | Alphanumeric string |

- **x509Type** (string)
  X.509 method that MongoDB Cloud uses to authenticate the database user.

- For application-managed X.509, specify `MANAGED`.
- For self-managed X.509, specify `CUSTOMER`.

Users created with the `CUSTOMER` method require a Common Name (CN) in the **username** parameter. You must create externally authenticated users on the `$external` database.

## Responses
### 201: OK

#### Body Parameters: application/json (object)
- **awsIAMType** (string)
  Human-readable label that indicates whether the new database user authenticates with the Amazon Web Services (AWS) Identity and Access Management (IAM) credentials associated with the user or the user's role.
- **databaseName** (string)
  The database against which the database user authenticates. Database users must provide both a username and authentication database to log into MongoDB. If the user authenticates with AWS IAM, x.509, LDAP, or OIDC Workload this value should be `$external`. If the user authenticates with SCRAM-SHA or OIDC Workforce, this value should be `admin`.
- **deleteAfterDate** (string(date-time))
  Date and time when MongoDB Cloud deletes the user. This parameter expresses its value in the ISO 8601 timestamp format in UTC and can include the time zone designation. You must specify a future date that falls within one week of making the Application Programming Interface (API) request.
- **description** (string)
  Description of this database user.
- **labels** (array[object])
  List that contains the key-value pairs for tagging and categorizing the MongoDB database user. The labels that you define do not appear in the console.
- **ldapAuthType** (string)
  Part of the Lightweight Directory Access Protocol (LDAP) record that the database uses to authenticate this database user on the LDAP host.
- **links** (array[object])
  List of one or more Uniform Resource Locators (URLs) that point to API sub-resources, related API resources, or both. RFC 5988 outlines these relationships.
- **oidcAuthType** (string)
  Human-readable label that indicates whether the new database user or group authenticates with OIDC federated authentication. To create a federated authentication user, specify the value of USER in this field. To create a federated authentication group, specify the value of IDP_GROUP in this field.
- **roles** (array[object])
  List that provides the pairings of one role with one applicable database.
- **scopes** (array[object])
  List that contains clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Workspaces that this database user can access. If omitted, MongoDB Cloud grants the database user access to all the clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Workspaces in the project.
- **username** (string)
  Human-readable label that represents the user that authenticates to MongoDB. The format of this label depends on the method of authentication:

| Authentication Method | Parameter Needed | Parameter Value | username Format |
|---|---|---|---|
| AWS IAM | awsIAMType | ROLE | <abbr title="Amazon Resource Name">ARN</abbr> |
| AWS IAM | awsIAMType | USER | <abbr title="Amazon Resource Name">ARN</abbr> |
| x.509 | x509Type | CUSTOMER | [RFC 2253](https://tools.ietf.org/html/2253) Distinguished Name |
| x.509 | x509Type | MANAGED | [RFC 2253](https://tools.ietf.org/html/2253) Distinguished Name |
| LDAP | ldapAuthType | USER | [RFC 2253](https://tools.ietf.org/html/2253) Distinguished Name |
| LDAP | ldapAuthType | GROUP | [RFC 2253](https://tools.ietf.org/html/2253) Distinguished Name |
| OIDC Workforce | oidcAuthType | IDP_GROUP | Atlas OIDC IdP ID (found in federation settings), followed by a '/', followed by the IdP group name |
| OIDC Workload | oidcAuthType | USER | Atlas OIDC IdP ID (found in federation settings), followed by a '/', followed by the IdP user name |
| SCRAM-SHA | awsIAMType, x509Type, ldapAuthType, oidcAuthType | NONE | Alphanumeric string |

- **x509Type** (string)
  X.509 method that MongoDB Cloud uses to authenticate the database user.

- For application-managed X.509, specify `MANAGED`.
- For self-managed X.509, specify `CUSTOMER`.

Users created with the `CUSTOMER` method require a Common Name (CN) in the **username** parameter. You must create externally authenticated users on the `$external` database.

### 400: Bad Request.

#### Body Parameters: application/json (object)
- **badRequestDetail** (object)
  Bad request detail.
- **detail** (string)
  Describes the specific conditions or reasons that cause each type of error.
- **error** (integer(int32))
  HTTP status code returned with this error.
- **errorCode** (string)
  Application error code returned with this error.
- **parameters** (array[object])
  Parameters used to give more information about the error.
- **reason** (string)
  Application error message returned with this error.

### 401: Unauthorized.

#### Body Parameters: application/json (object)
- **badRequestDetail** (object)
  Bad request detail.
- **detail** (string)
  Describes the specific conditions or reasons that cause each type of error.
- **error** (integer(int32))
  HTTP status code returned with this error.
- **errorCode** (string)
  Application error code returned with this error.
- **parameters** (array[object])
  Parameters used to give more information about the error.
- **reason** (string)
  Application error message returned with this error.

### 403: Forbidden.

#### Body Parameters: application/json (object)
- **badRequestDetail** (object)
  Bad request detail.
- **detail** (string)
  Describes the specific conditions or reasons that cause each type of error.
- **error** (integer(int32))
  HTTP status code returned with this error.
- **errorCode** (string)
  Application error code returned with this error.
- **parameters** (array[object])
  Parameters used to give more information about the error.
- **reason** (string)
  Application error message returned with this error.

### 404: Not Found.

#### Body Parameters: application/json (object)
- **badRequestDetail** (object)
  Bad request detail.
- **detail** (string)
  Describes the specific conditions or reasons that cause each type of error.
- **error** (integer(int32))
  HTTP status code returned with this error.
- **errorCode** (string)
  Application error code returned with this error.
- **parameters** (array[object])
  Parameters used to give more information about the error.
- **reason** (string)
  Application error message returned with this error.

### 409: Conflict.

#### Body Parameters: application/json (object)
- **badRequestDetail** (object)
  Bad request detail.
- **detail** (string)
  Describes the specific conditions or reasons that cause each type of error.
- **error** (integer(int32))
  HTTP status code returned with this error.
- **errorCode** (string)
  Application error code returned with this error.
- **parameters** (array[object])
  Parameters used to give more information about the error.
- **reason** (string)
  Application error message returned with this error.

### 500: Internal Server Error.

#### Body Parameters: application/json (object)
- **badRequestDetail** (object)
  Bad request detail.
- **detail** (string)
  Describes the specific conditions or reasons that cause each type of error.
- **error** (integer(int32))
  HTTP status code returned with this error.
- **errorCode** (string)
  Application error code returned with this error.
- **parameters** (array[object])
  Parameters used to give more information about the error.
- **reason** (string)
  Application error message returned with this error.


[Powered by Bump.sh](https://bump.sh)