Skip to main content

Authentication in MongoDB

Authentication is a crucial security feature that verifies the identity of clients attempting to connect to your MongoDB deployment. MongoDB provides several authentication mechanisms to accommodate different security requirements.

Authentication Mechanismsโ€‹

Atlas User Types

In MongoDB Atlas, there are two main types of users:

  • Atlas Control Plane Users: These users manage the Atlas infrastructure, projects, and services (e.g., creating clusters, configuring network access, managing billing). They interact with the Atlas UI, API, or CLI.
  • Atlas Data Plane Users: These users are created within an Atlas project and are used by applications and clients to connect to and authenticate against the actual MongoDB databases hosted on Atlas. They have specific database roles and privileges.

MongoDB Atlas supports multiple authentication mechanisms:

  • SCRAM (Default): The default and simplest mechanism for MongoDB, providing secure authentication using salted challenge-response methods. (For production deployment we recommend using a more advanced authentication mechanism)
  • X.509 Certificate Authentication: Certificate-based authentication that uses SSL/TLS certificates for verifying client identity, typically used in environments that require high security.
  • AWS IAM Authentication:MongoDB Atlas supports AWS IAM authentication, allowing users to authenticate using their AWS Identity and Access Management roles, which is useful for integration with AWS services.
  • Workforce Identity Federation Authentication: Allows users to integrate MongoDB Atlas with external identity providers (IdPs) like Okta or Azure AD for centralized access management and single sign-on (SSO).
  • Workload Identity Federation Authentication: Enables authentication for applications and workloads by allowing them to assume predefined roles, simplifying access management for services running in hybrid or multi-cloud environments.
  • LDAP Authentication: Allows integration with corporate directory services, enabling centralized management of user access across the organization.

SCRAM Authenticationโ€‹

SCRAM (Salted Challenge Response Authentication Mechanism) is MongoDB's default authentication mechanism. It provides secure username/password authentication.

Creating a User with SCRAM Authenticationโ€‹

// In MongoDB Atlas UI: Database Access > Add New Database User
// Or using Atlas CLI:
atlas dbusers create --username demoUser --password mySecurePassword --role readWriteAnyDatabase --projectId 

Database user 'demoUser' successfully created.
Atlas Administration API
//Use Atlas Admin API
POST /api/atlas/v1.0/groups/{GROUP-ID}/databaseUsers
{
 "databaseName": "admin",
 "username": "demoUser",
 "password": "secure_password",
 "roles": [{
   "roleName": "readWrite",
   "databaseName": "myDatabase"
 }]
}

Connecting with SCRAM Authenticationโ€‹

mongosh "mongodb+srv://cluster0.example.mongodb.net/myDatabase" \
  --username demoUser \
  --password mySecurePassword

AWS IAM Authenticationโ€‹

Atlas clusters on AWS can use IAM authentication:

  1. Configure IAM Authentication in Atlas UI
  2. Create an IAM Role with necessary permissions
  3. Connect using AWS credentials:
mongosh "mongodb+srv://<atlas-host-name>/test?authSource=%24external&authMechanism=MONGODB-AWS" --username <access-key-id> --password <secret-key>

X.509 Certificate Authenticationโ€‹

Certificate-based authentication that uses SSL/TLS certificates for verifying client identity, typically used in environments that require high security.

## Create User
!atlas dbusers create --username demoX509User --x509Type MANAGED --role readAnyDatabase --projectId {project_id}

## Create the relevant certificate
!atlas dbusers certs create --username demoX509User --monthsUntilExpiration 1 --projectId {project_id} > /tmp/cert.pem

Connect using X509 via shell

mongosh "mongodb+srv://<atlas-host-name>/test?authSource=%24external&authMechanism=MONGODB-X509"  --tlsCertificateKeyFile /tmp/cert.pem

Best Practicesโ€‹

  1. User Management

    • Use Database Access page in Atlas UI for user management
    • Implement role-based access control (RBAC)
    • Regularly audit user access and permissions

  2. Connection Security

    • Use connection strings with mongodb+srv:// protocol
    • Enable Network Access List restrictions
    • Implement IP access lists

  3. Authentication Methods

    • Use AWS IAM authentication when possible for AWS deployments
    • Implement strong password policies
    • Consider X.509 for application authentication

Challenges and Exercisesโ€‹

Let's move to the Authentication challenge.

Next Stepsโ€‹

After mastering authentication, proceed to learn about Role-Based Access Control (RBAC) to implement fine-grained access control for your MongoDB deployment.