Navigation

Create a Cloud Provider Access Role

The Atlas API uses HTTP Digest Authentication. Provide a programmatic API public key and corresponding private key as the username and password when constructing the HTTP request.

For complete documentation on configuring API access for an Atlas project, see Configure Atlas API Access.

Note

Groups and projects are synonymous terms. Your {GROUP-ID} is the same as your project ID. For existing groups, your group/project ID remains the same. The resource and corresponding endpoints use the term groups.

Workflow

After a successful request to this API endpoint, you can add the atlasAWSAccountArn and atlasAssumedRoleExternalId values to the trust policy in your AWS console to create an IAM Assumed Role ARN. See Set Up Unified AWS Access for the complete procedure.

Resource

Base URL: https://cloud.mongodb.com/api/atlas/v1.0

POST /groups/{GROUP-ID}/cloudProviderAccess

Request Path Parameters

Parameter Type Description
GROUP-ID string The unique identifier for the project whose cloud provider roles you want to retrieve.

Request Query Parameters

The following query parameters are optional:

Query Parameter Type Description Default
pretty boolean Displays response in a prettyprint format. false
envelope boolean Specifies whether or not to wrap the response in an envelope. false

Request Body Parameters

Parameter Type Description
providerName string The cloud provider for which to create a new role. Currently only AWS is supported.

Response

The HTTP document contains the following elements:

Name Type Description
atlasAWSAccountArn string ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
atlasAssumedRoleExternalId string Unique external ID Atlas uses when assuming the IAM role in your AWS account.
authorizedDate date Date on which this role was authorized.
createdDate date Date on which this role was created.
featureUsages array Atlas features this AWS IAM role is linked to.
iamAssumedRoleArn string ARN of the IAM Role that Atlas assumes when accessing resources in your AWS account.
providerName string Name of the cloud provider. Currently limited to AWS.
roleId string Unique ID of this role.

Example Request

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" -X POST --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/cloudProviderAccess?pretty=true" \
     --data '{ "providerName": "AWS" }'

Example Response

{
  "atlasAWSAccountArn" : "arn:aws:iam::123456789012:root",
  "atlasAssumedRoleExternalId" : "3192be49-6e76-4b7d-a7b8-b486a8fc4483",
  "authorizedDate" : null,
  "createdDate" : "2020-07-30T20:20:36Z",
  "featureUsages" : [ ],
  "iamAssumedRoleArn" : null,
  "providerName" : "AWS",
  "roleId" : "5f232b94af0a6b41747bcc2d"
}