Support GCP IAM for Cluster Authentication

Achieve feature parity with AWS IAM cluster authentication support.

78 votes

Brian shared this idea · September 24, 2020 · Report… · Admin →

planned ·

AdminFuat (Admin, MongoDB) responded · March 01, 2023

Thank you for your feedback. This work was planned. In order to avoid a false impression due to request title, I would like to clarify that:

1) MongoDB will first support Workforce Identity Federation for human users to access databases. This will allow you to SSO to the database not with GCP IAM but with your Identity Provider supporting OpenID Connect such as Google Cloud Identity, Okta, Ping, etc..

2) Then, MongoDB will support Workload Identity Federation that will allow your applications to access to database using GCP Service Accounts.

An error occurred while saving the comment

ilyas commented · September 22, 2023 09:06 · Report

I agree with @fulton

Prioritizing Workload Identity Federation (IAM) is most valuable.

Submitting...
ilyas commented · September 20, 2023 15:02 · Report

Hello, also requesting this.

Since MongoDB Atlas doesn't support crossproject service accounts, this raise security and responsibility issues over the service account keys in our organization.
Workforce Identity Federation is needed to prevent this.

Best Regards,
Ilyas

Submitting...
Fulton commented · March 13, 2023 10:38 · Report

The current ordering priority is not ideal.

Generally we do not want individual users accessing the database, so why are you prioritizing Workforce Identity Federation to access clusters using SSO? If a user needs to access a cluster directly (in an emergency) it's maybe once every few years.

The highest imperative is for application to access databases securely. The application has the highest access and security needs. Therefore prioritizing Workload Identity Federation (IAM) is most valuable. IAM access makes it easier for developers to build new applications to work with the database (instead of touching the database directly).

Why is Atlas choosing to support Workforce Identity Federation first?

Submitting...
Dimitri commented · March 01, 2023 13:56 · Report

Last secret in our deployment that we need to get rid off. This would be a tremendous help.

Submitting...
Tom commented · September 27, 2022 05:07 · Report

This idea was raised 2 years ago, are there any plans to put this on the roadmap ? This is critical for security reasons.

Especially since it's already possible with AWS: https://www.mongodb.com/docs/atlas/security/passwordless-authentication/

Submitting...
Fulton commented · October 19, 2021 12:42 · Report

Would be very nice to have this so we can use workload identity in GCP GKE clusters to eliminate yet another credential to distribute.

Submitting...
Morten commented · October 11, 2021 12:15 · Report

It should be fairly easy to get transparent identity federation where you can choose to grant Azure, AWS or GCP service accounts access.

See https://cloud.google.com/iam/docs/workload-identity-federation for inspiration

Submitting...
Nitzan Aloni commented · March 17, 2021 15:19 · Report

Great idea! Thank you!

Submitting...
Marco commented · March 16, 2021 14:16 · Report

Great idea!

Submitting...
AdminAndrew Davidson (VP, Cloud Products, MongoDB) commented · February 12, 2021 08:15 · Report

Hi Geoffrey, It's worth emphasizing that AzureAD with Domain Services can present the LDAPS protocol which Atlas supports

Submitting...
Geoffrey commented · February 11, 2021 14:07 · Report

I need this also on Azure.

Submitting...
AdminAndrew Davidson (VP, Cloud Products, MongoDB) commented · October 07, 2020 11:29 · Report

Hi Ion, Can you help share a little bit about your use case, and what this would help you achieve? Thank you
-Andrew

Submitting...
ion commented · October 06, 2020 10:45 · Report

yessssssssssss
we want this

Submitting...