Navigation

Set Up Unified AWS Access

Some Atlas features, including Data Lakes and Encryption at Rest, use AWS IAM roles for authentication. When Atlas accesses AWS services, it does so through an assumed IAM role.

You can set up an assumed IAM role for your Atlas account to use with the Atlas API or UI.

Note

If you have Encryption at Rest enabled for your cluster and you want to set up a new IAM role, be sure the new role has access to the existing KMS.

  1. Expand the Options menu next to your project name in the Atlas UI upper left corner. Select Integrations.
  2. Click the Configure button in the AWS IAM Role Access panel.

    Note: if you already have one or more roles configured, the button reads Edit.

  3. Click the Authorize an AWS IAM Role button.
  4. Read through the Overview instructions, then click Next.
  5. If you'd like to create a new AWS IAM role for use with Atlas, use the Create New Role with the AWS CLI procedure. If you have an existing AWS IAM role you want to authorize for Atlas, use the Add Trust Relationships to an Existing Role procedure.
  1. Click Create New Role with the AWS CLI to expand the next section.
  2. Copy the JSON text and save it to a file named role-trust-policy.json.
  3. Enter a name for your new AWS IAM role in the text box.
  4. If you don't already have the AWS Command Line Interface (CLI) installed, see the documentation. If you do have the AWS CLI installed, proceed to the next step.
  5. Copy the CLI command and enter it at the command prompt.
  6. If successful, the CLI command returns a JSON document with information about the newly created AWS IAM role. Locate the field named Arn and copy it into the text box labelled Enter the Role ARN in the Atlas modal window.
  7. Click Validate and Finish.
  1. Click Add Trust Relationships to an Existing Role to expand the next section.
  2. Copy the JSON trust relationship text.
  3. In your AWS web console, navigate to the Roles section of the IAM dashboard.
  4. Click on the role you want to authorize.
  5. Select the Trust relationships tab.
  6. Click the Edit trust relationship button.
  7. Replace the existing text with the JSON text you copied in step 2.
  8. Click Update Trust Policy.
  9. Copy the Role ARN and paste it in the Atlas modal window, in the text box labelled Enter the Role ARN.
  10. Click Validate and Finish.

If you cancel a procedure to authorize an AWS IAM role for use with Atlas, you can resume it where you left off.

  1. Expand the Options menu next to your project name in the Atlas UI upper left corner. Select Integrations.
  2. Click the Configure button in the AWS IAM Role Access panel.

    Note: if you already have one or more roles configured, the button reads Edit.

  3. Any roles with an ongoing authorization procedure are listed with an in progress status. Click the Resume button to resume the authorization process.

To cancel an in-progress role authorization completely, click the Delete icon next to the in-progress role.

You can deauthorize an existing AWS IAM role from your Atlas account with the Atlas API or the Atlas UI.

Note

Be sure to remove any associated Atlas services from the IAM role before you deauthorize it.

  1. Expand the Options menu next to your project name in the Atlas UI upper left corner. Select Integrations.
  2. Click the Edit button in the AWS IAM Role Access panel.
  3. Click the Delete button next to the IAM role you want to deauthorize.
Give Feedback