Provisioning IAM Roles for MongoDB Atlas Integration
PythonTo provision IAM roles for MongoDB Atlas integration on AWS, you'll need to create an AWS IAM Role that can be assumed by MongoDB Atlas. This role must have the necessary permissions policies attached that allow MongoDB Atlas to manage AWS resources on your behalf. Typically, this is done through a trust relationship policy document that allows the MongoDB Atlas service to assume the role.
Below, I'll walk you through a Pulumi program written in Python that sets up an AWS IAM Role for MongoDB Atlas integration. This program does the following:
- Creates an IAM Role with a trust policy that allows the MongoDB Atlas service principal to assume the role.
- Attaches policies to the role that grant the necessary permissions for MongoDB Atlas to function correctly (the exact permissions required will depend on your use case and should be defined according to the principle of least privilege).
Here's a step-by-step Pulumi program to achieve this:
import pulumi import pulumi_aws as aws from typing import Any # Replace YOUR_ACCOUNT_ID with the AWS account ID and YOUR_EXTERNAL_ID with the external ID provided by MongoDB Atlas. mongodb_atlas_account_id = "YOUR_ACCOUNT_ID" external_id = "YOUR_EXTERNAL_ID" # A trust relationship policy document that allows the role to be assumed by MongoDB Atlas. assume_role_policy = pulumi.Output.all(mongodb_atlas_account_id, external_id).apply( lambda args: aws.iam.get_policy_document( statements=[ { "actions": ["sts:AssumeRole"], "conditions": [ { "test": "StringEquals", "variable": "sts:ExternalId", "values": [args[1]], }, ], "effect": "Allow", "principals": [ { "identifiers": [f"arn:aws:iam::{args[0]}:root"], "type": "AWS", }, ], }, ], )) # Create the IAM Role for MongoDB Atlas integration with the trust policy document. mongodb_atlas_role = aws.iam.Role("mongodb-atlas-role", assume_role_policy=assume_role_policy.json, description="IAM Role for MongoDB Atlas integration") # An example policy document that allows READ access to an S3 bucket. You would need to tailor this for MongoDB Atlas' specific needs. mongo_db_policy_doc = aws.iam.get_policy_document( statements=[ { "actions": [ "s3:GetObject", "s3:ListBucket", ], "resources": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ], "effect": "Allow", }, ]) # Create a Policy and attach it to the role. Update the policy as per MongoDB Atlas requirements. policy = aws.iam.Policy("mongodb-atlas-policy", policy=mongo_db_policy_doc.json) role_policy_attachment = aws.iam.RolePolicyAttachment("mongodb-atlas-role-policy-attachment", role=mongodb_atlas_role.name, policy_arn=policy.arn ) # Output the IAM Role ARN, which can be used to configure MongoDB Atlas. pulumi.export("mongodb_atlas_role_arn", mongodb_atlas_role.arn)In this program:
- We define an
assume_role_policyusing Pulumi'sget_policy_documentfunction. This policy document specifies the action"sts:AssumeRole"and conditions necessary for MongoDB Atlas to assume the role, including the use of an external ID for added security. - We create an IAM Role named
mongodb-atlas-roleand assign it theassume_role_policy. - We create a sample IAM Policy document granting read access to an S3 bucket, which is merely for illustrative purposes, and you should replace it with the specific permissions MongoDB Atlas needs.
- We create a Policy
mongodb-atlas-policyand attach this policy to the IAM Role usingRolePolicyAttachment. - Finally, we export the ARN of the created IAM Role so that it can be used to configure MongoDB Atlas.
Please replace the placeholders
YOUR_ACCOUNT_ID,YOUR_EXTERNAL_ID, and the example policy document with actual values relevant to your MongoDB Atlas integration.You will need to install the Pulumi AWS library if it is not already installed, which you can do by running
pip install pulumi_aws. After writing this code in a file (e.g.,__main__.py), you can deploy it usingpulumi up. Make sure you've configured your AWS credentials for Pulumi.