Support GCP IAM for Cluster Authentication

Achieve feature parity with AWS IAM cluster authentication support.

70 votes

Brian shared this idea · Sep 24, 2020 · Report… · Admin →

planned ·

AdminFuat (Admin, MongoDB) responded · Mar 1, 2023

Thank you for your feedback. This work was planned. In order to avoid a false impression due to request title, I would like to clarify that:

1) MongoDB will first support Workforce Identity Federation for human users to access databases. This will allow you to SSO to the database not with GCP IAM but with your Identity Provider supporting OpenID Connect such as Google Cloud Identity, Okta, Ping, etc..

2) Then, MongoDB will support Workload Identity Federation that will allow your applications to access to database using GCP Service Accounts.

An error occurred while saving the comment

Fulton commented · March 13, 2023 10:38 AM · Report

The current ordering priority is not ideal.

Generally we do not want individual users accessing the database, so why are you prioritizing Workforce Identity Federation to access clusters using SSO? If a user needs to access a cluster directly (in an emergency) it's maybe once every few years.

The highest imperative is for application to access databases securely. The application has the highest access and security needs. Therefore prioritizing Workload Identity Federation (IAM) is most valuable. IAM access makes it easier for developers to build new applications to work with the database (instead of touching the database directly).

Why is Atlas choosing to support Workforce Identity Federation first?

Submitting...
Dimitri commented · March 1, 2023 1:56 PM · Report

Last secret in our deployment that we need to get rid off. This would be a tremendous help.

Submitting...
Tom commented · September 27, 2022 5:07 AM · Report

This idea was raised 2 years ago, are there any plans to put this on the roadmap ? This is critical for security reasons.

Especially since it's already possible with AWS: https://www.mongodb.com/docs/atlas/security/passwordless-authentication/

Submitting...
Fulton commented · October 19, 2021 12:42 PM · Report

Would be very nice to have this so we can use workload identity in GCP GKE clusters to eliminate yet another credential to distribute.

Submitting...
Morten commented · October 11, 2021 12:15 PM · Report

It should be fairly easy to get transparent identity federation where you can choose to grant Azure, AWS or GCP service accounts access.

See https://cloud.google.com/iam/docs/workload-identity-federation for inspiration

Submitting...
Nitzan Aloni commented · March 17, 2021 3:19 PM · Report

Great idea! Thank you!

Submitting...
Marco commented · March 16, 2021 2:16 PM · Report

Great idea!

Submitting...
AdminAndrew Davidson (VP, Cloud Products, MongoDB) commented · February 12, 2021 8:15 AM · Report

Hi Geoffrey, It's worth emphasizing that AzureAD with Domain Services can present the LDAPS protocol which Atlas supports

Submitting...
Geoffrey commented · February 11, 2021 2:07 PM · Report

I need this also on Azure.

Submitting...
AdminAndrew Davidson (VP, Cloud Products, MongoDB) commented · October 7, 2020 11:29 AM · Report

Hi Ion, Can you help share a little bit about your use case, and what this would help you achieve? Thank you
-Andrew

Submitting...
ion commented · October 6, 2020 10:45 AM · Report

yessssssssssss
we want this

Submitting...