For AI agents: a documentation index is available at https://www.mongodb.com/docs/llms.txt — markdown versions of all pages are available by appending .md to any URL path.
Docs Menu

Advanced User Configuration

Learn about advanced authentication and authorization settings for database users in Atlas Data Federation, including available authentication methods. You can manage users with the Atlas CLI, the Atlas Administration API, and the Atlas UI.

Note

Atlas supports a maximum of 100 database users per Atlas project by default. If you require more than 100 database users on a project, you can use the Atlas Administration API to increase the limit. For assistance, contact Atlas support.

To use the advanced database user configurations, you must have Organization Owner, Project Owner, or Project Database Access Admin access in Atlas.

Use the Atlas CLI, Atlas Administration API, or Atlas UI to manage database users for Atlas Data Federation.

Atlas Data Federation offers the following forms of authentication for database users:

  • Password: SCRAM is MongoDB's default authentication method. SCRAM requires a password for each user.

    The authentication database for SCRAM-authenticated users is the admin database.

    Note

    By default, Atlas supports SCRAM-SHA-256 authentication. If you created a user before MongoDB 4.0, you must update MongoDB 4.0, update their passwords to generate SCRAM-SHA-256 credentials. You may reuse existing passwords.

    When to use SCRAM:

    You can use SCRAM authentication for human users and application users. For lower environments, SCRAM is a suitable authentication method. For production and higher environments, follow security best practices to keep secrets secure and short-term, such as integrating with Privileged Access Management (PAM) solutions.

  • X.509 Certificates: X.509 Certificates, also known as mutual TLS or mTLS, allow passwordless authentication by using a trusted certificate.

    The authentication database for X.509-authenticated users is the $external database.

    If you enable LDAP authorization, you can't connect to your clusters with users that authenticate with an Atlas-managed X.509 certificate. To enable LDAP and connecting to your clusters with X.509 users, see Set Up Self-Managed X.509 Certificates.

    When to use X.509:

    X.509 authentication is suitable for secure workload access when workload identity federation (OIDC) or AWS IAM authentication is not feasible, or when mutual authentication is required.

  • OIDC: OpenID Connect (OIDC) authentication enables passwordless, secretless authentication using external identity providers. Atlas supports the following types of OIDC authentication:

    The authentication database for OIDC-authenticated users is the $external database.

    OIDC authentication is available only on clusters which use MongoDB version 7.0 and higher.

    When to use OIDC:

    For human users, we recommend that you use Workforce Identity Federation with OIDC.

    For application users, we recommend that you use Workload Identity Federation with OIDC for applications that run on GCP or Azure.

  • AWS IAM: You can create a database user which uses an AWS IAM User or Role ARN for authentication.

    The authentication database for AWS IAM-authenticated users is the $external database.

    When to use AWS IAM:

    We recommend that you use AWS IAM authentication with IAM roles for application users running on AWS.

A project can have users with different authentication methods.

A user's authentication method is fixed at creation. To use a different authentication method, create a new user.