• Security Features and Setup >
• Configure Database Users

Configure Database Users

Create database users to provide clients access to the clusters in your project. A database user’s access is determined by the roles assigned to the user. When you create a database user, the user is added to all clusters in your Atlas project.

Database users are separate from Atlas users. Database users have access to MongoDB databases, while Atlas users have access to the Atlas application itself. Atlas supports creating temporary database users that automatically expire within a user-configurable 7-day period.

Atlas audits the creation, deletion, and updates of database users in the project’s Activity Feed. Atlas audits actions pertaining to both temporary and non-temporary database users. To view the project’s Activity Feed, click Activity Feed in the Project section of the left navigation. For more information on the project Activity Feed, see View All Activity.

The available Atlas database user privileges support a subset of MongoDB commands. See Unsupported Commands in M10+ Clusters for more information.

Atlas supports a maximum of 100 database users per Atlas project.

Note

If you require more than 100 database users on a project, please contact Atlas support.

Important

Atlas rolls back any user modifications not made through the UI or API. You must use the Atlas UI or API to add, modify, or delete database users on Atlas clusters.

Database User Authentication

Atlas offers the following forms of authentication for database users:

• Password Authentication
• X.509 Certificates
• AWS IAM Authentication

SCRAM is MongoDB’s default authentication method. SCRAM requires a password for each user.

The authentication database for SCRAM-authenticated users is the admin database.

X.509 Certificates allow passwordless authentication by using a trusted certificate.

The authentication database for X.509-authenticated users is the $external database.

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

You can create a database user which uses an AWS IAM user ARN for authentication.

The authentication database for AWS IAM-authenticated users is the $external database.

AWS IAM authentication is available only on clusters which use MongoDB version 4.4 and higher.

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Add Database Users

A project can have users with different authentication methods.

You cannot change a user’s authentication method after creating that user. To use an alternative authentication method, you must create a new user.

Select an authentication mechanism and follow the steps to create a new database user.

• Password Authentication
• X.509 Certificates
• AWS IAM Authentication

1

Open the Add New Database User dialog.

1. In the Security section of the left navigation, click Database Access. The Database Users tab displays.
2. Click plus icon Add New Database User.

2

Select Password.

In the Authentication Method section of the Add New Database User modal window, select the box labeled Password.

3

Enter user information.

Under Password Authentication, there are two text fields.

1. Enter a username for the new user in the top text field.
2. Enter a password for the new user in the lower text field.

To use a password auto-generated by Atlas, click the Autogenerate Secure Password button.

4

Assign user privileges.

You can assign privileges to the new user in one of the following ways:

• Select Atlas admin from the Database User Privileges dropdown menu, which provides the user with readWriteAnyDatabase as well as other administrative privileges.

• Select Read and write to any database, which allows the user to read from and write to any database.

• Select Only read any database, which allows the user to read from any database.

• If you have any custom roles defined, you can select Select pre-defined custom roles, then choose a role from the Pre-defined Custom Role dropdown menu. To learn more about custom roles, see Configure Custom Roles.

• Select Grant specific privileges to assign the user privileges on individual databases and collections.

  Note

  When applied to a collection, the read and readWrite roles in Atlas differ slightly from the built-in MongoDB read and readWrite roles.

  In Atlas, read provides the following collection-level actions:

  • collStats
  • dbHash
  • find
  • listIndexes

  In Atlas, readWrite provides the same actions as read, as well as the following additional collection-level actions:

  • convertToCapped
  • createCollection
  • createIndex
  • dropCollection
  • dropIndex
  • insert
  • remove
  • update

  For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual.

5

(Optional) Save as temporary user.

Toggle the Temporary User switch to On and choose a time after which Atlas can delete the user from the Temporary User Duration dropdown. You can select one of the following time periods for the user to exist:

• 6 hours
• 1 day
• 1 week

In the Database Users tab, temporary users display the time remaining until Atlas will delete the user. Once Atlas deletes the user, any client or application that uses the temporary user’s credententials loses access to the cluster.

6

Click Add User.

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

1

Open the Add New Database User dialog.

1. In the Security section of the left navigation, click Database Access. The Database Users tab displays.
2. Click plus icon Add New Database User.

2

Select Certificate.

In the Authentication Method section of the Add New Database User modal window, select the box marked Certificate.

3

Enter user information.

1. Enter a username for the new user in the Common Name text field.

2. (Optional) If you would like to download an Atlas-managed certificate after the new user is created, toggle the Download certificate when user is added switch to On.

   Note

   To download the certificate upon saving, you must provide a certificate expiration date.

3. (Optional) Select a certificate expiration period.

   X.509 certificates expire and are invalid after the certificate expiration date you set. A user cannot log in with an expired X.509 certificate and must be issued a new certificate.

   To help manage this, Atlas automatically creates a project-level alert when you create a new user with X.509 authentication enabled. This alert sends a notification 30 days before that user’s latest certificate expires, repeating every 24 hours. You can view and edit this alert from Atlas’s Alert Settings page. For more information on configuring alerts, see Configure Alert Settings.

   Important

   If a user loses their certificate, they will need a new certificate before they can log in again.

   Important

   You cannot revoke X.509 certificates. To revoke an X.509 certificate-authenticated user’s access to your project, you must delete that user.

   If you prefer to manage your own X.509 certificates, you can upload a PEM-encoded certificate authority through Self-Managed X.509 Certificates.

4

Assign user privileges.

You can assign privileges to the new user in one of the following ways:

• Select Atlas admin from the Database User Privileges dropdown menu, which provides the user with readWriteAnyDatabase as well as other administrative privileges.

• Select Read and write to any database, which allows the user to read from and write to any database.

• Select Only read any database, which allows the user to read from any database.

• If you have any custom roles defined, you can select Select pre-defined custom roles, then choose a role from the Pre-defined Custom Role dropdown menu. To learn more about custom roles, see Configure Custom Roles.

• Select Grant specific privileges to assign the user privileges on individual databases and collections.

  Note

  When applied to a collection, the read and readWrite roles in Atlas differ slightly from the built-in MongoDB read and readWrite roles.

  In Atlas, read provides the following collection-level actions:

  • collStats
  • dbHash
  • find
  • listIndexes

  In Atlas, readWrite provides the same actions as read, as well as the following additional collection-level actions:

  • convertToCapped
  • createCollection
  • createIndex
  • dropCollection
  • dropIndex
  • insert
  • remove
  • update

  For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual.

5

Click Add User.

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Note

AWS IAM authentication is available only on clusters which use MongoDB version 4.4 and higher.

1

Open the Add New Database User dialog.

1. In the Security section of the left navigation, click Database Access. The Database Users tab displays.
2. Click plus icon Add New Database User.

2

Select AWS IAM.

In the Authentication Method section of the Add New Database User modal window, select the box marked AWS IAM.

3

Enter user information.

1. Select a user type from the AWS IAM Type dropdown menu.
2. Enter an AWS user ARN. Click the See instruction below link for help with finding your ARN.

4

Assign user privileges.

You can assign privileges to the new user in one of the following ways:

• Select Atlas admin from the Database User Privileges dropdown menu, which provides the user with readWriteAnyDatabase as well as other administrative privileges.

• Select Read and write to any database, which allows the user to read from and write to any database.

• Select Only read any database, which allows the user to read from any database.

• If you have any custom roles defined, you can select Select pre-defined custom roles, then choose a role from the Pre-defined Custom Role dropdown menu. To learn more about custom roles, see Configure Custom Roles.

• Select Grant specific privileges to assign the user privileges on individual databases and collections.

  Note

  When applied to a collection, the read and readWrite roles in Atlas differ slightly from the built-in MongoDB read and readWrite roles.

  In Atlas, read provides the following collection-level actions:

  • collStats
  • dbHash
  • find
  • listIndexes

  In Atlas, readWrite provides the same actions as read, as well as the following additional collection-level actions:

  • convertToCapped
  • createCollection
  • createIndex
  • dropCollection
  • dropIndex
  • insert
  • remove
  • update

  For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual.

5

(Optional) Save as temporary user.

Toggle the Temporary User switch to On and choose a time after which Atlas can delete the user from the Temporary User Duration dropdown. You can select one of the following time periods for the user to exist:

• 6 hours
• 1 day
• 1 week

In the Database Users tab, temporary users display the time remaining until Atlas will delete the user. Once Atlas deletes the user, any client or application that uses the temporary user’s credententials loses access to the cluster.

6

Click Add User.

AWS IAM Connection String Example

Connecting to Atlas using AWS IAM authentication with the mongo shell requires shell version 4.4 or higher.

• Use your AWS IAM credentials, with your access key ID as your username and your secret key as your password.
• The authSource query parameter is $external, URL-encoded as %24external.
• The authMechanism query parameter is MONGODB-AWS.

Example:

copy

mongo "mongodb+srv://<atlas-host-name>/test?authSource=%24external&authMechanism=MONGODB-AWS" \
  --username <access-key-id> --password <secret-key>

You can also add database users through the Atlas API. See Create a Database User.

Modify Database Users

To modify existing users for an Atlas project:

1. In the Security section in the left navigation, click Database Access. The Database Users tab displays.

2. Click pencil icon Edit for the user you want to modify. You can modify the privileges and authentication details assigned to the user. You cannot modify the authentication method.

   • For SCRAM authenticated users, you can edit a user’s password.
   • For X.509 certificate authenticated users, you can download a new certificate.
   • For AWS IAM users, you can only modify database access privileges.

   For temporary users, you can also modify the time period the user exists or make the user a permanent user, provided the user’s expiration date has not already passed.

   Note

   You cannot change a permanent user into a temporary user. If you change a temporary user into a permanent user, you cannot make it temporary again.

3. Click Update User to save the changes.

You can also modify existing users through the Atlas API. See Update a Database User.

Delete Database Users

To delete existing users for an Atlas project:

1. In the Security section in the left navigation, click Database Access. The Database Users tab displays.
2. Click trash icon Delete next to the user you want to delete.
3. Click Delete again to confirm.

You can also delete existing users through the Atlas API. See Delete a Database User.

Database User Privileges

The following table describes the Database User Privileges and the MongoDB Built-in Roles or privilege actions they represent.

Protected MongoDB Database Namespaces

The following databases are read-only for all users, including those with the readWriteAnyDatabase role.

• admin
• local
• config

Database User Privilege	MongoDB Role	Inherited Roles or Privilege Actions
Atlas admin	atlasAdmin	readWriteAnyDatabase readAnyDatabase dbAdminAnyDatabase clusterMonitor cleanupOrphaned enableSharding flushRouterConfig moveChunk splitChunk viewUser
Read and write to any database	readWriteAnyDatabase	readWriteAnyDatabase
Only read any database	readAnyDatabase	readAnyDatabase

See Unsupported Commands in M10+ Clusters for more information on common commands not supported by the current Atlas user privileges.

←   Configure Whitelist Entries Configure Custom Roles  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.