DEV Community

loading...
Cover image for Authorize Atlas to Access your AWS Account

Authorize Atlas to Access your AWS Account

Naresh Maharaj
・2 min read

AWS IAM Role Access

In MongoDB Atlas you may at some stage wish to use a cloud provider to either store files to S3, encrypt at rest and so on.

MongoDB Atlas allows you to configure the Cloud Provider Role and authenticate that role to use later as a service.

In this article we use terraform to

1) Create the Cloud Service in MongoDB Atlas
2) Get the external ref from Atlas and provide this as a trusted source to a Role on your own AWS Account.
3) Authenticate the role as an Assumed Role to Atlas.

https://github.com/nareshmaharaj-consultant/atlas_cloud_provider_terraform

Use the following

variables.tf

variable "mongodb_atlas_api_pub_key" {
 default = "qvesfrig"
}

variable "mongodb_atlas_api_pri_key" {
 default = "enter your private key here"
}

variable "mongodb_atlas_project_id" {
 default = "60ab6ed5fb4a1f43c4950e71"
}

variable "atlas_project_name" {
  type        = string
  description = "Name of the Atlas project the role is associated with"
  default     = "my-atlas"
}

variable "account_name" {
  type        = string
  description = "Name of the AWS account.  Used as a name prefix"
  default     =  "naresh.maharaj"
}

variable "tags" {
  type        = map(string)
  description = "Key/value pairs of additional information attached to resources"
  default     = {}
}

variable "atlas_aws_root_account_id" {
  type        = number
  description = "Atlas AWS root account ARN IAM account id"
  default     = "536727724300"
}

variable "aws_root_account_id" {
  type        = number
  description = "Atlas AWS root account ARN IAM account id"
  default     = "521195893806"
}

variable "atlas_external_ids" {
  type        = list(any)
  description = "List of unique external IDs (per-Atlas project)"
  default     = []
}
Enter fullscreen mode Exit fullscreen mode

main.tf

terraform {
  required_providers {
    mongodbatlas = {
      source = "mongodb/mongodbatlas"
      version = "0.9.1"
    }
  }
}

provider "mongodbatlas" {
  # Configuration options
  public_key  = var.mongodb_atlas_api_pub_key
  private_key = var.mongodb_atlas_api_pri_key
}

resource "mongodbatlas_cloud_provider_access" "test_role" {
  project_id    = "${var.mongodb_atlas_project_id}"
  provider_name = "AWS"
}

data "aws_iam_policy_document" "atlas-assume-role-policy" {
  statement {
    sid     = "rolepolicy"
    actions = ["sts:AssumeRole"]

    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"
      values   = ["${mongodbatlas_cloud_provider_access.test_role.atlas_assumed_role_external_id}"]
    }

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${var.atlas_aws_root_account_id}:root"]
    }

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "atlas-cmk-access-role" {
  name               = "${var.account_name}-atlas-cmk-${var.atlas_project_name}-role"
  tags               = merge({ "Name" = "${var.account_name}-atlas-cmk-role" }, var.tags)
  assume_role_policy = data.aws_iam_policy_document.atlas-assume-role-policy.json
}

resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
   project_id =  mongodbatlas_cloud_provider_access.test_role.project_id
   role_id    =  mongodbatlas_cloud_provider_access.test_role.role_id

   aws = {
      iam_assumed_role_arn = "arn:aws:iam::${var.aws_root_account_id}:role/${var.account_name}-atlas-cmk-${var.atlas_project_name}-role"
   }
}


output "atlas_assumed_role_external_id" {
  value = mongodbatlas_cloud_provider_access.test_role.atlas_assumed_role_external_id
}
Enter fullscreen mode Exit fullscreen mode

Run

terraform init
terraform plan ( check everything meets your expectations )
terraform apply

Discussion (0)