Support GCP IAM for Cluster Authentication
Achieve feature parity with AWS IAM cluster authentication support.
Thank you for your patience. Connecting Atlas clusters with GCP service accounts (workload identity federation) is in development and currently planned to be available in Q1 2024 (which is subject to change). The functionality will require MongoDB 7 in Atlas and initially will be supported in Java, Node, Python, C#/.NET, and Go drivers.
-
Michael Gerlach commented
This is technically done with MongoDB 7.0 and OIDC authentication through Identity Federation.
-
ilyas bouallal commented
I agree with @fulton
Prioritizing Workload Identity Federation (IAM) is most valuable.
-
ilyas bouallal commented
Hello, also requesting this.
Since MongoDB Atlas doesn't support crossproject service accounts, this raise security and responsibility issues over the service account keys in our organization.
Workforce Identity Federation is needed to prevent this.Best Regards,
Ilyas -
Fulton Byrne commented
The current ordering priority is not ideal.
Generally we do not want individual users accessing the database, so why are you prioritizing Workforce Identity Federation to access clusters using SSO? If a user needs to access a cluster directly (in an emergency) it's maybe once every few years.
The highest imperative is for application to access databases securely. The application has the highest access and security needs. Therefore prioritizing Workload Identity Federation (IAM) is most valuable. IAM access makes it easier for developers to build new applications to work with the database (instead of touching the database directly).
Why is Atlas choosing to support Workforce Identity Federation first?
-
Dimitri Stiliadis commented
Last secret in our deployment that we need to get rid off. This would be a tremendous help.
-
Tom commented
This idea was raised 2 years ago, are there any plans to put this on the roadmap ? This is critical for security reasons.
Especially since it's already possible with AWS: https://www.mongodb.com/docs/atlas/security/passwordless-authentication/
-
Fulton Byrne commented
Would be very nice to have this so we can use workload identity in GCP GKE clusters to eliminate yet another credential to distribute.
-
Morten commented
It should be fairly easy to get transparent identity federation where you can choose to grant Azure, AWS or GCP service accounts access.
See https://cloud.google.com/iam/docs/workload-identity-federation for inspiration
-
Nitzan Aloni commented
Great idea! Thank you!
-
Marco Barbierato commented
Great idea!
-
Hi Geoffrey, It's worth emphasizing that AzureAD with Domain Services can present the LDAPS protocol which Atlas supports
-
Geoffrey commented
I need this also on Azure.
-
Hi Ion, Can you help share a little bit about your use case, and what this would help you achieve? Thank you
-Andrew -
ion commented
yessssssssssss
we want this