mongocli atlas dbuser create

On this page

Syntax

Options
Output
Examples

This version of the documentation is archived and no longer supported. View the current documentation to learn how to upgrade your version of MongoCLI.

The dbuser create command creates a MongoDB database user to access the specified Atlas cluster. You can also create a MongoDB database user through the Atlas UI or API.

Syntax

mongocli atlas dbuser create
     [ --awsIAMType <NONE|USER|ROLE> ]
     [ --deleteAfter <date-of-deletion> ]
     [ --ldapType <NONE|USER|GROUP>]
     [ --output|-o <output-format> ]
     [ --password|-p <password-of-user> ]
     [ --profile|-P <profile-name> ]
     [ --projectId <project-ID> ]
     --role <name-of-role>
     --username|-u <name-of-user>
     [ --x509Type <NONE|MANAGED|CUSTOMER> ]

Note

Use -h or --help to view the command-line help for this command.

Options

Option

Type

Description

Required?

--awsIAMType

string

Authenticates the new database user with AWS IAM credentials. If omitted, Atlas uses the default value of NONE.

Accepted values are:

`NONE`	User doesn't authenticate with AWS IAM credentials. If `--ldapType` and `--x509Type` are `NONE` or omitted, Atlas authenticates this user through SCRAM-SHA.
`USER`	User authenticates with AWS IAM user credentials. You do not need to provide a `--password` for the user.
`ROLE`	User authenticates with AWS IAM role credentials. You do not need to provide a `--password` for the user.

If you set --awsIAMType to USER or ROLE, you can't set --x509Type or --ldapType to any value other than NONE.

--ldapType

string

Authenticates the new database user with LDAP. If omitted, Atlas uses the default value of NONE.

Accepted values include:

`NONE`	User doesn't authenticate with LDAP. If `--awsIAMType` and `--x509Type` are `NONE` or omitted, Atlas authenticates this user through SCRAM-SHA.
`USER`	LDAP server authenticates this user through the user's LDAP user. The name you specify with `--username` must also be a fully qualified distinguished name, as defined in RFC-2253.
`GROUP`	LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. The name you specify with `--username` must also be a fully qualified distinguished name, as defined in RFC-2253.

If you set --ldapType to USER or GROUP, you can't set --awsIAMType or --x509Type to any value other than NONE.

--deleteAfter

date

Timestamp in ISO 8601 date and time format in UTC after which Atlas deletes the user. The specified date must be in the future and within one week of the time you make the API request.

Note

You may include an ISO 8601 time zone designator to ensure that the expiration date occurs with respect to the local time in the specified time zone. Time zones are represented as an offset from UTC.

Example

To delete a database user on August 1st, 2020, at 12:30pm in New York (Eastern Daylight Time), use the option:

--deleteAfter 2020-08-01T12:30-04:00

--output, -o

string

Command output format. Valid values are:

json for output in JSON format
go-template for custom output using the Go template
go-template-file for custom output specified using Go template file

If omitted, the command returns output in the default format.

--password, -p

string

Password for authenticating the user to MongoDB. Required if --awsIAMType, --ldapType, and --x509Type are omitted or NONE, which means that the database user authenticates with SCRAM-SHA.

--profile, -P

string

Name of the profile where the public and private keys for the project are saved. If omitted, uses the default profile. To learn more about creating a profile, see Configure the MongoDB CLI.

--projectId

string

Unique identifier of the project. If omitted, uses the project ID in the profile or environment variable.

--role

string or array of strings

Comma-separated list of user's roles and the databases or collections on which the roles apply. A role allows the user to perform particular actions on the specified database or collection. To learn more about the list of default roles, see MongoDB Database User Privileges.

yes

--username, -u

string

Username for authenticating the user to MongoDB.

Must be a fully qualified distinguished name, as defined in RFC 2253, if:
- --ldapType is USER or GROUP.
- --x509Type is CUSTOMER.
Must be an Amazon Resource Name (ARN) if --awsIAMType is USER or ROLE.

yes

--x509Type

string

Authenticates the new database user with X.509. If omitted, Atlas uses the default value of NONE.

Accepted values are:

`NONE`	User doesn't authenticate with X.509. If `--awsIAMType` and `--ldapType` are `NONE` or omitted, Atlas authenticates this user through SCRAM-SHA.
`MANAGED`	User authenticates with Atlas-managed X.509. You do not need to provide a `--password` for the user.
`CUSTOMER`	User authenticates with self-managed X.509. You do not need to provide a `--password` for the user. You must include a fully qualified Distinguished Name (DN) as the `--username` for users who authenticate with self-managed X.509.

If you set --x509Type to MANAGED or CUSTOMER, you can't set --awsIAMType or --ldapType to any value other than NONE.

Output

The command prints the following fields in the specified format to the terminal if the command succeeds. If the command prints an error, see Troubleshooting for recommended solutions.

Field

Description

databaseName

User's authentication database. For MongoDB deployment in Atlas, the authentication database is always the admin database.

groupId

Unique identifier of the Atlas project to which the user belongs.

Note

Groups and projects are synonymous terms. Your {GROUP-ID} is the same as your project ID.

roles

User's roles and the databases or collections on which the roles apply.

username

Username for authentication.

ldapAuthType

Method by which the specified username is authenticated. Valid values are:

`NONE`	This user does not use LDAP authentication.
`USER`	LDAP server authenticates this user through the user's LDAP user.
`GROUP`	LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP.

x509Type

Method by which the specified username is authenticated. Valid values are:

`NONE`	This user does not use X.509 authentication.
`MANAGED`	This user authenticates with Atlas-managed X.509 certificates.
`CUSTOMER`	This user authenticates with Self-managed X.509 certificates.

awsIAMType

Method by which the specified username is authenticated. Valid values are:

`NONE`	This user does not use AWS IAM authentication.
`USER`	This user authenticates with AWS IAM user credentials.
`ROLE`	This user authenticates with AWS IAM role credentials.

deleteAfterDate

Timestamp in ISO 8601 date and time format in UTC after which Atlas deletes the user. This field is only present if an expiration date was specified when creating the entry.

Examples

The examples below use the mongocli atlas dbuser create command to create a MongoDB database user to access the Atlas cluster. When the command is run, it prints the Output Fields to the terminal.

Example 1

The following command creates a user with the following attributes:

Username: user1
Password: ChangeThisToAStrongPassword
Role: atlasAdmin

The command uses the default profile to access Atlas and create the user.

mongocli atlas dbuser create --username user1 --password
ChangeThisToAStrongPassword --role atlasAdmin@admin --output json
--projectId 5e2211c17a3e5a48f5497de3

The previous command prints the following fields to the terminal. To learn more about these fields, see Output.

{
     "roles": [{
             "roleName": "atlasAdmin",
             "databaseName": "admin"
     }],
     "groupId": "5e2211c17a3e5a48f5497de3",
     "username": "user1",
     "databaseName": "admin",
     "ldapAuthType": "NONE",
     "x509Type": "NONE",
     "awsIAMType": "NONE"
}

Example 2

The following commands show two ways to create a user with readWriteAnyDatabase and clusterMonitor privileges. The command uses the default profile to access the project, which contains the API keys for accessing Atlas.

The following command shows the --role option with two privileges separated by a comma.

mongocli atlas dbuser create --username egUser --password ChangeThisToAStrongPassword --role readWriteAnyDatabase@admin,clusterMonitor@admin --projectId 5e2211c17a3e5a48f5497de3

The following command specifies the --role option twice, once for each privilege.

mongocli atlas dbuser create --username egUser --password ChangeThisToAStrongPassword --role readWriteAnyDatabase@admin --role clusterMonitor@admin --output json --projectId 5e2211c17a3e5a48f5497de3

The commands print the following fields to the terminal. To learn more about these fields, see Output.

{
     "roles": [{
                     "roleName": "readWriteAnyDatabase",
                     "databaseName": "admin"
             },
             {
                     "roleName": "clusterMonitor",
                     "databaseName": "admin"
             }
     ],
     "groupId": "5e2211c17a3e5a48f5497de3",
     "username": "egUser",
     "databaseName": "admin",
     "ldapAuthType": "NONE",
     "x509Type": "NONE",
     "awsIAMType": "NONE"
}

Example 3

The following command creates a temporary user with credentials that expire in one week.

Username: tempUser
Password: ChangeThisToAStrongPassword
Role: clusterMonitor
Credential expiry date: 2020-07-31

The command uses the default profile to access Atlas and create the user.

mongocli atlas dbuser create --username tempUser --password ChangeThisToAStrongPassword --role clusterMonitor@admin --deleteAfter 2020-07-31 --output json --projectId 5e2211c17a3e5a48f5497de3

The previous command prints the following fields to the terminal. To learn more about these fields, see Output.

{
     "roles": [{
             "roleName": "clusterMonitor",
             "databaseName": "admin"
     }],
     "groupId": "5e2211c17a3e5a48f5497de3",
     "username": "tempUser",
     "databaseName": "admin",
     "ldapAuthType": "NONE",
     "x509Type": "NONE",
     "awsIAMType": "NONE",
     "deleteAfterDate": "2020-07-31T00:00:00Z"
}

Back

Describe a Database user

Modify a Database User