MongoDB Atlas customers run workloads (applications) inside AWS, Azure, and Google Cloud. Today, to enable these workloads to authenticate with MongoDB Atlas cluster—customers create and manage MongoDB Atlas database users using the natively supported SCRAM (password) and X.509 authentication mechanisms and configure them in their workloads. Customers have to manage the full identity lifecycle of these users in their applications, including frequently rotating secrets. To meet their evolving security and compliance requirements, our enterprise customers require database users to be managed within their existing identity providers or cloud providers of their choice.
Workload Identity Federation will be in general availability later this month and allows management of MongoDB Atlas database users with Azure Managed Identities, Azure Service Principals, Google Service Accounts, or an OAuth2.0 compliant authorization service. This approach makes it easier for customers to manage, secure, and audit their MongoDB Atlas database users in their existing identity provider or a cloud provider of their choice and enables them to have “passwordless” access to their MongoDB Atlas databases.
Along with Workload Identity Federation, Workforce Identity Federation, which was launched in public preview last year, will be generally available later this month. Workforce Identity Federation allows organizations to configure access to MongoDB clusters for their employees with single sign-on (SSO) using OpenID Connect.
Both features complement each other and enable organizations to have complete control of database access for both application users and employees.
Workload Identity Federation support will be available in Atlas Dedicated Clusters on MongoDB 7.0 and above, and is supported by Java, C#, Node, and Python drivers. Go driver support will be added soon.
Quick steps to get started with Workload Identity Federation:
- Configure Atlas with your OAuth2.0 compatible workload identity provider such as Azure or Google Cloud.
- Configure Azure Service Principal or Google Cloud Service Accounts for the Azure or Google Cloud resource where your application runs.
- Add the configured Azure Service Principal or Google Cloud Service Account as Atlas database users with Federated authentication.
- Using Python or any supported driver inside your application, authenticate and authorize with your workload identity provider and Atlas clusters.
To learn more about Workload Identity Federation, please refer to the documentation. And to learn more about how MongoDB’s robust operational and security controls protect your data, read more about our security features.