Docs Menu
Docs Home
/
MongoDB Cluster-to-Cluster Sync
/
Reference

Authentication Using Workload Identity Federation

On this page

  • Examples
  • Learn More

Starting in 1.8.1, you can use mongosync with Atlas Workload Identity Federation to authenticate connections to MongoDB clusters running on Microsoft Azure and Google Cloud Platform.

Examples

This section shows mongosync examples that use Workload Identity Federation.

In the connection string, set authMechanism to MONGODB-OIDC and set authMechanismProperties as needed:

  • For Microsoft Azure, set authMechanismProperties to ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>. Note: Omit TOKEN_RESOURCE if using Microsoft Azure Kubernetes Service (AKS).

  • For Google Cloud Platform, set authMechanismProperties to ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>.

Replace <audience> with the application or service that the access token is intended for. For more details, see Identity Provider Fields.

For details about connection string options, see Authentication Options.

Connect to MongoDB Clusters Using Microsoft Azure Instance Metadata Service

The following mongosync example connects to MongoDB clusters using Microsoft Azure Instance Metadata Service (IMDS):

./bin/mongosync \
      --logPath /var/log/mongosync \
      --cluster0 "mongodb://clusterOne01.fancyCorp.com:20020,clusterOne02.fancyCorp.com:20020,clusterOne03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:https://www.example.com" \
      --cluster1 "mongodb://clusterTwo01.fancyCorp.com:20020,clusterTwo02.fancyCorp.com:20020,clusterTwo03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:https://www.example.com"

Connect to MongoDB Clusters Using Microsoft Azure Kubernetes Service

To connect to MongoDB clusters using Microsoft Azure Kubernetes Service, define these environment variables:

Environment Variable
Description
AZURE_TENANT_ID
Azure tenant identifier.
AZURE_APP_CLIENT_ID
Azure application client identifier.
AZURE_CLIENT_ID
Azure client identifier of the managed identity to authenticate with.
AZURE_FEDERATED_TOKEN_FILE
Azure federated token file path.

For details about Azure and the variables, see the Microsoft Azure documentation.

The following mongosync example defines the environment variables and connects to MongoDB clusters:

AZURE_TENANT_ID=08206ab8-16a0-406d-85e4-2f15f5620fac \
AZURE_APP_CLIENT_ID=b6c835da-e536-425b-9405-64bc471e245b \
AZURE_CLIENT_ID=f176d4eb-7dcd-4f66-bccf-aaa316ee61fd \
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token \
./bin/mongosync \
      --logPath /var/log/mongosync \
      --cluster0 "mongodb://clusterOne01.fancyCorp.com:20020,clusterOne02.fancyCorp.com:20020,clusterOne03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure" \
      --cluster1 "mongodb://clusterTwo01.fancyCorp.com:20020,clusterTwo02.fancyCorp.com:20020,clusterTwo03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure"

TOKEN_RESOURCE isn't required for this example.

Connect to MongoDB Clusters in Google Cloud Platform

The following mongosync example connects to MongoDB clusters in Google Cloud Platform:

./bin/mongosync \
      --logPath /var/log/mongosync \
      --cluster0 "mongodb://clusterOne01.fancyCorp.com:20020,clusterOne02.fancyCorp.com:20020,clusterOne03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:https://www.example.com" \
      --cluster1 "mongodb://clusterTwo01.fancyCorp.com:20020,clusterTwo02.fancyCorp.com:20020,clusterTwo03.fancyCorp.com:20020/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:https://www.example.com"

No environment variables are required for Google Cloud Platform.

Learn More

  • mongosync Behavior

  • Connecting mongosync

  • mongosync States

  • mongosync API Endpoints

  • Finalize Cutover Process

Back

Regular Expressions

Next

oplog Sizing

On this page