Support GCP IAM for Cluster Authentication

Achieve feature parity with AWS IAM cluster authentication support.

85 votes

Brian shared this idea · Sep 24, 2020 · Report… · Admin →

completed ·

AdminFuat (Admin, MongoDB) responded · Jul 6, 2024

Your applications can now access Atlas Clusters with Google Service Accounts using MongoDB Workload Identity Federation (https://www.mongodb.com/docs/atlas/workload-oidc/). The feature is supported by MongoDB 7.0.11 dedicated clusters (M10 and above).

For your workforce access, we recommend to use Workforce Identity Federation (https://www.mongodb.com/docs/atlas/workforce-oidc/) with your corporate identity provider.

Thank you for your feedback.

Show previous admin responses (2)

An error occurred while saving the comment

Michael Gerlach commented · March 12, 2024 1:39 PM · Report

This is technically done with MongoDB 7.0 and OIDC authentication through Identity Federation.

Submitting...
ilyas bouallal commented · September 22, 2023 9:06 AM · Report

I agree with @fulton

Prioritizing Workload Identity Federation (IAM) is most valuable.

Submitting...
ilyas bouallal commented · September 20, 2023 3:02 PM · Report

Hello, also requesting this.

Since MongoDB Atlas doesn't support crossproject service accounts, this raise security and responsibility issues over the service account keys in our organization.
Workforce Identity Federation is needed to prevent this.

Best Regards,
Ilyas

Submitting...
Fulton Byrne commented · March 13, 2023 10:38 AM · Report

The current ordering priority is not ideal.

Generally we do not want individual users accessing the database, so why are you prioritizing Workforce Identity Federation to access clusters using SSO? If a user needs to access a cluster directly (in an emergency) it's maybe once every few years.

The highest imperative is for application to access databases securely. The application has the highest access and security needs. Therefore prioritizing Workload Identity Federation (IAM) is most valuable. IAM access makes it easier for developers to build new applications to work with the database (instead of touching the database directly).

Why is Atlas choosing to support Workforce Identity Federation first?

Submitting...
Dimitri Stiliadis commented · March 1, 2023 1:56 PM · Report

Last secret in our deployment that we need to get rid off. This would be a tremendous help.

Submitting...
Tom commented · September 27, 2022 5:07 AM · Report

This idea was raised 2 years ago, are there any plans to put this on the roadmap ? This is critical for security reasons.

Especially since it's already possible with AWS: https://www.mongodb.com/docs/atlas/security/passwordless-authentication/

Submitting...
Fulton Byrne commented · October 19, 2021 12:42 PM · Report

Would be very nice to have this so we can use workload identity in GCP GKE clusters to eliminate yet another credential to distribute.

Submitting...
Morten commented · October 11, 2021 12:15 PM · Report

It should be fairly easy to get transparent identity federation where you can choose to grant Azure, AWS or GCP service accounts access.

See https://cloud.google.com/iam/docs/workload-identity-federation for inspiration

Submitting...
Nitzan Aloni commented · March 17, 2021 3:19 PM · Report

Great idea! Thank you!

Submitting...
Marco Barbierato commented · March 16, 2021 2:16 PM · Report

Great idea!

Submitting...
AdminAndrew Davidson (VP, Cloud Products, MongoDB) commented · February 12, 2021 8:15 AM · Report

Hi Geoffrey, It's worth emphasizing that AzureAD with Domain Services can present the LDAPS protocol which Atlas supports

Submitting...
Geoffrey commented · February 11, 2021 2:07 PM · Report

I need this also on Azure.

Submitting...
AdminAndrew Davidson (VP, Cloud Products, MongoDB) commented · October 7, 2020 11:29 AM · Report

Hi Ion, Can you help share a little bit about your use case, and what this would help you achieve? Thank you
-Andrew

Submitting...
ion commented · October 6, 2020 10:45 AM · Report

yessssssssssss
we want this

Submitting...