Getting Started

This integration allows you to generate temporary, time-expiring credentials for your MongoDB Atlas database. These credentials are restricted via an access level, specified by a MongoDB Atlas role that you supply. There can be multiple access levels (and hence roles) associated with a single MongoDB Atlas database connection.

Setup

Create a MongoDB Atlas connection

To get started, head to the Connections page and click on the MongoDB Atlas tile.

Click on the MongoDB Atlas tile to get started

Click on the MongoDB Atlas tile to get started

Step 1 - Input the MongoDB Atlas cluster hostname

Add the cluster hostname (no http or https should be present in the hostname) for your MongoDB Atlas cluster into the Hostname field of the connection creation form. You can do this via logging into the MongoDB Atlas UI, clicking Connect on the desired cluster, and then clicking Connect with the MongoDB Shell. You will see a command similar to:

mongosh "mongodb+srv://cluster0.abcdemongodb.net/myFirstDatabase" --username v-135dcec6-bd62-4-ma

The hostname corresponds to mongodb+srv://cluster0.abcdemongodb.net/ (note the lack of myFirstDatabase).

Step 2 - Input the project's public key, private key, and project ID

In order for Opal to provision temporary credentials for your MongoDB Atlas database, we'll need an administrator account with full access to your MongoDB Atlas project. These administrator account credentials must be created via a project API key.

In the MongoDB Atlas UI, navigate to Access Manager on the very top and click on the project that holds your cluster of interest. Click on the API Keys tab and create an API key with the Project Owner permission. Record the public key and private key, inputting them into the Public Key and Private Key fields of the connection form.

To find the project ID, navigate to the Project Settings page of the relevant project (follow the instructions here). Record the Project ID and input it into the Project ID field of the connection form.

Create a new resource for your MongoDB Atlas database connection.

Create a new resource for your MongoDB Atlas database connection.

Step 3 - Create a MongoDB Atlas resource and policy that specifies what the user will gain access to on your MongoDB Atlas database

After the MongoDB Atlas database connection is successfully created, navigate to the Resources page and click the '+' in the top right side. Then click Create resource.

After clicking, for the Connection Name field, click on the MongoDB Atlas connection you just created. Step through the wizard to fill out the rest of the information.

Now, in the page for the resource that was just created, navigate to the Access Levels tab. Click on Create access level.

Policy editor for a MongoDB Atlas resource.

Policy editor for a MongoDB Atlas resource.

Fill out all the fields, adding a policy with a user-defined MongoDB Atlas role.

For example, inputting

{"database_name": "admin","roles": [{"databaseName":"admin","roleName":"atlasAdmin"}]}

permits the user to take on the atlasAdmin role. Users that start a session with this access level will gain temporary credentials with the level of access defined in this role.

For the access level remote ID, you must input a colon-delimited string, with the string after the first colon pointing to the initial database that the user will log into. For example, an access level remote ID named myfancyrole:test would lead to the user logging into a database with the name test when using the provisioned credentials.

The string that appears before the first colon is arbitrary. An initial database name is required.

After inputting all the fields, click Save. This policy can be edited later and saved, if you want to change the permissions.

The resource, along with its corresponding access level, is now ready to be requested by Opal users. You can create, edit, and delete multiple access levels.

Click on

Click on Edit in the access level column to edit the access level. Hover over Access Levels and click on the pen to create or delete access levels.

Once the Opal user has access, they can connect to the resource via the following interface:

Clicking Connect will generate temporary credentials to your MongoDB Atlas database.


❗️Enable Opal for access management

If you want to use Opal to manage access to MongoDB Atlas resources, you will need to enable the Manage resources and groups from Opal in the Admin page. You can read more about how to do that here.


Did this answer your question?