MongoDB Atlas Service Account Credentials - AWS Secrets Manager
Secret Value FieldsSecret Metadata FieldsUsage Flow
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

MongoDB Atlas Service Account Credentials

Secret Value Fields

The following are the fields that must be contained in the Secrets Manager secret:

{
  "clientId": "service account OAuth client ID",
  "clientSecret": "service account OAuth client secret",
  "orgId": "Atlas Organization ID"
}
clientId

The MongoDB Atlas service account OAuth client ID. This must start with mdb_sa_id_ followed by a 24-character hexadecimal string.

clientSecret

The MongoDB Atlas service account OAuth client secret used for authentication.

orgId

The 24-character hexadecimal Atlas Organization ID. You can find this in your Atlas Organization Settings.

Secret Metadata Fields

The following are the metadata fields for MongoDB Atlas Service Account:

{
  "adminSecretArn": "arn:aws-eusc:secretsmanager:eusc-de-east-1:111122223333:secret:MongoDBAtlasServiceAccount",
  "apiVersion": "2025-03-12"
}
adminSecretArn

(Optional) The Amazon Resource Name (ARN) for the secret that contains the administrative service account OAuth credentials used to rotate this service account secret. The admin secret should contain a clientId and clientSecret value within the secret structure. If omitted, the service account will use its own credentials for self-rotation.

apiVersion

(Optional) The Atlas Admin API version date in yyyy-mm-dd format. This value is used in the Accept header as application/vnd.atlas.{apiVersion}+json. Defaults to 2025-03-12 if not specified.

Usage Flow

The rotation supports two authentication modes. In self-rotation mode (default), the service account uses its own credentials to create and delete its secrets. This requires the service account to have permissions to manage its own secrets. In admin-assisted rotation mode, a separate admin service account credential stored in another secret is used. This is required when the service account lacks self-management permissions.

You can create your secret using the CreateSecret call with the secret value containing the fields mentioned above and secret type as MongoDBAtlasServiceAccount. The rotation configurations can be set using a RotateSecret call. If you opt for self-rotation, you can omit the optional adminSecretArn field. You must provide a role ARN in the RotateSecret call which grants the service the required permissions to rotate the secret. For an example of a permissions policy see Security and Permissions.

For customers opting to rotate their secrets using a separate set of credentials (stored in an Admin Secret), create the Admin Secret in AWS Secrets Manager containing the admin service account's clientId and clientSecret. You must provide the ARN of this Admin Secret in the rotation metadata in a RotateSecret call for your service account secret.

During rotation, the driver creates a new secret for the service account via the Atlas Admin API, verifies the new secret by generating an OAuth token, updates the secret with new credentials, and deletes the old secret.