Set Up Unified Cloud Provider Integrations
On this page
Some Atlas features, including Data Federation and Encryption at Rest, authenticate with AWS IAM roles. When Atlas accesses AWS services, it assumes an IAM role.
You can set up an assumed IAM role for your Atlas account to use
with the Atlas Administration API or Atlas UI if you have the
Project Owner
role. Atlas supports unified access only
for AWS.
You can use Atlas Kubernetes Operator to set up unified access for an AWS IAM role
in the AtlasProject
Custom Resource.
Important
If you operate Atlas Kubernetes Operator under an independent CRD model, you cannot configure AWS IAM
authentication using atlasProject
parameters. To configure
AWS IAM authentication for your Atlas project directly,
please see aws-iam-authentication.
Prerequisites
You need the following public API key, private API key, and the organization ID information to configure Atlas Kubernetes Operator access to Atlas.
If you want Atlas Kubernetes Operator to create a new Atlas project, Grant Programmatic Access to an Organization. If your organization requires an IP access list for the Atlas Administration API, you must also configure the API access list.
Important
You must assign the API key the Organization Project Creator organization role or higher.
If you want to work with an existing Atlas project, Add Project Access from a Project. If your organization requires an IP access list for the Atlas Administration API, you must also configure the API access list.
Important
You must assign the API key the Project Owner project role.
To learn more, see Configure Access to Atlas.
Procedure
Add the spec.cloudProviderIntegrations
fields to the AtlasProject
custom resource.
Specify an empty value placeholder within the
spec.cloudProviderIntegrations.iamAssumedRoleArn
parameter of theAtlasProject
Custom Resource.Specify
AWS
within thespec.cloudProviderIntegrations.providerName
parameter of theAtlasProject
Custom Resource.
Example:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Project projectIpAccessList: - ipAddress: "192.0.2.15" comment: "IP address for Application" cloudProviderIntegrations: - providerName: "AWS" iamAssumedRoleArn: "" EOF
Important
Complete this entire procedure to configure the role for the
empty value placeholder before adding any additional access
roles to your AtlasProject
custom resource.
Retrieve the project's atlasAWSAccountArn
and atlasAssumedRoleExternalId
.
Run the command to retrieve the
atlasAWSAccountArn
, which you need for the next steps.kubectl get atlasprojects my-project -o=jsonpath='{.status.cloudProviderIntegrations.atlasAWSAccountArn.type}' arn:aws:iam::198765432109:root Run the command to retrieve the
atlasAssumedRoleExternalId
, which you need for the next steps.kubectl get atlasprojects my-project -o=jsonpath='{.status.cloudProviderIntegrations.atlasAssumedRoleExternalId.type}' 1a234b56-c789-0d12-345e-67f89012345a
Modify your AWS IAM role trust policy.
You can use an existing IAM role or create a new IAM role for unified access.
Modify the trust policy for your AWS IAM role using the following custom trust policy. Replace the highlighted lines with the values you retrieved in a previous step.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":"<atlasAWSAccountArn>" }, "Action":"sts:AssumeRole", "Condition":{ "StringEquals":{ "sts:ExternalId":"<atlasAssumedRoleExternalId>" } } } ] }
Create the AWS IAM role using the following custom trust policy. Replace the highlighted lines with the values you retrieved in a previous step.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":"<atlasAWSAccountArn>" }, "Action":"sts:AssumeRole", "Condition":{ "StringEquals":{ "sts:ExternalId":"<atlasAssumedRoleExternalId>" } } } ] }
Authorize the IAM role's access using Atlas Kubernetes Operator.
Replace the empty value placeholder within the
spec.cloudProviderIntegrations.iamAssumedRoleArn
parameter of the AtlasProject
Custom Resource with
the IAM role's AWS ARN from the previous step.
Example:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Project projectIpAccessList: - ipAddress: "192.0.2.15" comment: "IP address for Application" cloudProviderIntegrations: - providerName: "AWS" iamAssumedRoleArn: "arn:aws:iam::123456789012:role/aws-service-role/support.amazonaws.com/myRole" EOF
Check the status of the cloudProviderIntegrations
.
Run the command to retrieve the status:
kubectl get atlasprojects my-project -o=jsonpath='{.status.cloudProviderIntegrations}' Check for the
READY
status.If the status is
CREATED
, Atlas created the role but you have not authorized it within AWS.If the status is
EMPTY_ARN
, Atlas created the role but you have not specified thespec.cloudProviderIntegrations.iamAssumedRoleArn
.If the status is
READY
, Atlas has created the role and you have authorized it within AWS.