Support GCP IAM for Cluster Authentication
Achieve feature parity with AWS IAM cluster authentication support.
Thank you for your feedback. This work was planned. In order to avoid a false impression due to request title, I would like to clarify that:
1) MongoDB will first support Workforce Identity Federation for human users to access databases. This will allow you to SSO to the database not with GCP IAM but with your Identity Provider supporting OpenID Connect such as Google Cloud Identity, Okta, Ping, etc..
2) Then, MongoDB will support Workload Identity Federation that will allow your applications to access to database using GCP Service Accounts.
I agree with @fulton
Prioritizing Workload Identity Federation (IAM) is most valuable.
Hello, also requesting this.
Since MongoDB Atlas doesn't support crossproject service accounts, this raise security and responsibility issues over the service account keys in our organization.
Workforce Identity Federation is needed to prevent this.
The current ordering priority is not ideal.
Generally we do not want individual users accessing the database, so why are you prioritizing Workforce Identity Federation to access clusters using SSO? If a user needs to access a cluster directly (in an emergency) it's maybe once every few years.
The highest imperative is for application to access databases securely. The application has the highest access and security needs. Therefore prioritizing Workload Identity Federation (IAM) is most valuable. IAM access makes it easier for developers to build new applications to work with the database (instead of touching the database directly).
Why is Atlas choosing to support Workforce Identity Federation first?
Last secret in our deployment that we need to get rid off. This would be a tremendous help.
This idea was raised 2 years ago, are there any plans to put this on the roadmap ? This is critical for security reasons.
Especially since it's already possible with AWS: https://www.mongodb.com/docs/atlas/security/passwordless-authentication/
Would be very nice to have this so we can use workload identity in GCP GKE clusters to eliminate yet another credential to distribute.
It should be fairly easy to get transparent identity federation where you can choose to grant Azure, AWS or GCP service accounts access.
See https://cloud.google.com/iam/docs/workload-identity-federation for inspiration
Nitzan Aloni commented
Great idea! Thank you!
Hi Geoffrey, It's worth emphasizing that AzureAD with Domain Services can present the LDAPS protocol which Atlas supports
I need this also on Azure.
Hi Ion, Can you help share a little bit about your use case, and what this would help you achieve? Thank you
we want this