Docs Menu
Docs Home
/ /
MongoDB Atlas Kubernetes Operator
/

Set Up Unified Cloud Provider Integrations

On this page

  • Prerequisites
  • Procedure

Some Atlas features, including Data Federation and Encryption at Rest, authenticate with AWS IAM roles. When Atlas accesses AWS services, it assumes an IAM role.

You can set up an assumed IAM role for your Atlas account to use with the Atlas Administration API or Atlas UI if you have the Project Owner role. Atlas supports unified access only for AWS.

You can use Atlas Kubernetes Operator to set up unified access for an AWS IAM role in the AtlasProject Custom Resource.

Important

If you operate Atlas Kubernetes Operator under an independent CRD model, you cannot configure AWS IAM authentication using atlasProject parameters. To configure AWS IAM authentication for your Atlas project directly, please see aws-iam-authentication.

You need the following public API key, private API key, and the organization ID information to configure Atlas Kubernetes Operator access to Atlas.

  • If you want Atlas Kubernetes Operator to create a new Atlas project, Grant Programmatic Access to an Organization. If your organization requires an IP access list for the Atlas Administration API, you must also configure the API access list.

    Important

    You must assign the API key the Organization Project Creator organization role or higher.

  • If you want to work with an existing Atlas project, Add Project Access from a Project. If your organization requires an IP access list for the Atlas Administration API, you must also configure the API access list.

    Important

    You must assign the API key the Project Owner project role.

To learn more, see Configure Access to Atlas.

1
  1. Specify an empty value placeholder within the spec.cloudProviderIntegrations.iamAssumedRoleArn parameter of the AtlasProject Custom Resource.

  2. Specify AWS within the spec.cloudProviderIntegrations.providerName parameter of the AtlasProject Custom Resource.

Example:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Project
projectIpAccessList:
- ipAddress: "192.0.2.15"
comment: "IP address for Application"
cloudProviderIntegrations:
- providerName: "AWS"
iamAssumedRoleArn: ""
EOF

Important

Complete this entire procedure to configure the role for the empty value placeholder before adding any additional access roles to your AtlasProject custom resource.

2
  1. Run the command to retrieve the atlasAWSAccountArn, which you need for the next steps.

    kubectl get atlasprojects my-project -o=jsonpath='{.status.cloudProviderIntegrations.atlasAWSAccountArn.type}'
    arn:aws:iam::198765432109:root
  2. Run the command to retrieve the atlasAssumedRoleExternalId, which you need for the next steps.

    kubectl get atlasprojects my-project -o=jsonpath='{.status.cloudProviderIntegrations.atlasAssumedRoleExternalId.type}'
    1a234b56-c789-0d12-345e-67f89012345a
3

You can use an existing IAM role or create a new IAM role for unified access.

Modify the trust policy for your AWS IAM role using the following custom trust policy. Replace the highlighted lines with the values you retrieved in a previous step.

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"<atlasAWSAccountArn>"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"<atlasAssumedRoleExternalId>"
}
}
}
]
}

Create the AWS IAM role using the following custom trust policy. Replace the highlighted lines with the values you retrieved in a previous step.

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"<atlasAWSAccountArn>"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"<atlasAssumedRoleExternalId>"
}
}
}
]
}
4

In the Roles section of the AWS Management Console, click on the IAM role you edited or created for Atlas access. AWS displays the ARN in the Summary section.

5

Replace the empty value placeholder within the spec.cloudProviderIntegrations.iamAssumedRoleArn parameter of the AtlasProject Custom Resource with the IAM role's AWS ARN from the previous step.

Example:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Project
projectIpAccessList:
- ipAddress: "192.0.2.15"
comment: "IP address for Application"
cloudProviderIntegrations:
- providerName: "AWS"
iamAssumedRoleArn: "arn:aws:iam::123456789012:role/aws-service-role/support.amazonaws.com/myRole"
EOF
6
  1. Run the command to retrieve the status:

    kubectl get atlasprojects my-project -o=jsonpath='{.status.cloudProviderIntegrations}'
  2. Check for the READY status.

    • If the status is CREATED, Atlas created the role but you have not authorized it within AWS.

    • If the status is EMPTY_ARN, Atlas created the role but you have not specified the spec.cloudProviderIntegrations.iamAssumedRoleArn.

    • If the status is READY, Atlas has created the role and you have authorized it within AWS.

Back

Federated