MongoDB Atlas v3.30.0, Mar 21 25

MongoDB Atlas v3.30.0 published on Friday, Mar 21, 2025 by Pulumi

mongodbatlas.DatabaseUser

Explore with Pulumi AI

MongoDB Atlas v3.30.0 published on Friday, Mar 21, 2025 by Pulumi

# Resource: mongodbatlas.DatabaseUser

mongodbatlas.DatabaseUser provides a Database User resource. This represents a database user which will be applied to all clusters within the project.

Each user has a set of roles that provide access to the project’s databases. User’s roles apply to all the clusters in the project: if two clusters have a products database and a user has a role granting read access on the products database, the user has that access on both clusters.

NOTE: Groups and projects are synonymous terms. You may find group_id in the official documentation.

WARNING: The password argument is required for creation but should be removed after creation if it will be managed externally. More details can be found in the password argument documentation.

IMPORTANT: All arguments including the password will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as mongodbatlas from "@pulumi/mongodbatlas";

const test = new mongodbatlas.DatabaseUser("test", {
    username: "test-acc-username",
    password: "test-acc-password",
    projectId: "<PROJECT-ID>",
    authDatabaseName: "admin",
    roles: [
        {
            roleName: "readWrite",
            databaseName: "dbforApp",
        },
        {
            roleName: "readAnyDatabase",
            databaseName: "admin",
        },
    ],
    labels: [{
        key: "My Key",
        value: "My Value",
    }],
    scopes: [
        {
            name: "My cluster name",
            type: "CLUSTER",
        },
        {
            name: "My second cluster name",
            type: "CLUSTER",
        },
    ],
});

import pulumi
import pulumi_mongodbatlas as mongodbatlas

test = mongodbatlas.DatabaseUser("test",
    username="test-acc-username",
    password="test-acc-password",
    project_id="<PROJECT-ID>",
    auth_database_name="admin",
    roles=[
        {
            "role_name": "readWrite",
            "database_name": "dbforApp",
        },
        {
            "role_name": "readAnyDatabase",
            "database_name": "admin",
        },
    ],
    labels=[{
        "key": "My Key",
        "value": "My Value",
    }],
    scopes=[
        {
            "name": "My cluster name",
            "type": "CLUSTER",
        },
        {
            "name": "My second cluster name",
            "type": "CLUSTER",
        },
    ])

package main

import (
	"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := mongodbatlas.NewDatabaseUser(ctx, "test", &mongodbatlas.DatabaseUserArgs{
			Username:         pulumi.String("test-acc-username"),
			Password:         pulumi.String("test-acc-password"),
			ProjectId:        pulumi.String("<PROJECT-ID>"),
			AuthDatabaseName: pulumi.String("admin"),
			Roles: mongodbatlas.DatabaseUserRoleArray{
				&mongodbatlas.DatabaseUserRoleArgs{
					RoleName:     pulumi.String("readWrite"),
					DatabaseName: pulumi.String("dbforApp"),
				},
				&mongodbatlas.DatabaseUserRoleArgs{
					RoleName:     pulumi.String("readAnyDatabase"),
					DatabaseName: pulumi.String("admin"),
				},
			},
			Labels: mongodbatlas.DatabaseUserLabelArray{
				&mongodbatlas.DatabaseUserLabelArgs{
					Key:   pulumi.String("My Key"),
					Value: pulumi.String("My Value"),
				},
			},
			Scopes: mongodbatlas.DatabaseUserScopeArray{
				&mongodbatlas.DatabaseUserScopeArgs{
					Name: pulumi.String("My cluster name"),
					Type: pulumi.String("CLUSTER"),
				},
				&mongodbatlas.DatabaseUserScopeArgs{
					Name: pulumi.String("My second cluster name"),
					Type: pulumi.String("CLUSTER"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Mongodbatlas = Pulumi.Mongodbatlas;

return await Deployment.RunAsync(() => 
{
    var test = new Mongodbatlas.DatabaseUser("test", new()
    {
        Username = "test-acc-username",
        Password = "test-acc-password",
        ProjectId = "<PROJECT-ID>",
        AuthDatabaseName = "admin",
        Roles = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserRoleArgs
            {
                RoleName = "readWrite",
                DatabaseName = "dbforApp",
            },
            new Mongodbatlas.Inputs.DatabaseUserRoleArgs
            {
                RoleName = "readAnyDatabase",
                DatabaseName = "admin",
            },
        },
        Labels = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserLabelArgs
            {
                Key = "My Key",
                Value = "My Value",
            },
        },
        Scopes = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserScopeArgs
            {
                Name = "My cluster name",
                Type = "CLUSTER",
            },
            new Mongodbatlas.Inputs.DatabaseUserScopeArgs
            {
                Name = "My second cluster name",
                Type = "CLUSTER",
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.mongodbatlas.DatabaseUser;
import com.pulumi.mongodbatlas.DatabaseUserArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserRoleArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserLabelArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserScopeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test = new DatabaseUser("test", DatabaseUserArgs.builder()
            .username("test-acc-username")
            .password("test-acc-password")
            .projectId("<PROJECT-ID>")
            .authDatabaseName("admin")
            .roles(            
                DatabaseUserRoleArgs.builder()
                    .roleName("readWrite")
                    .databaseName("dbforApp")
                    .build(),
                DatabaseUserRoleArgs.builder()
                    .roleName("readAnyDatabase")
                    .databaseName("admin")
                    .build())
            .labels(DatabaseUserLabelArgs.builder()
                .key("My Key")
                .value("My Value")
                .build())
            .scopes(            
                DatabaseUserScopeArgs.builder()
                    .name("My cluster name")
                    .type("CLUSTER")
                    .build(),
                DatabaseUserScopeArgs.builder()
                    .name("My second cluster name")
                    .type("CLUSTER")
                    .build())
            .build());

    }
}

resources:
  test:
    type: mongodbatlas:DatabaseUser
    properties:
      username: test-acc-username
      password: test-acc-password
      projectId: <PROJECT-ID>
      authDatabaseName: admin
      roles:
        - roleName: readWrite
          databaseName: dbforApp
        - roleName: readAnyDatabase
          databaseName: admin
      labels:
        - key: My Key
          value: My Value
      scopes:
        - name: My cluster name
          type: CLUSTER
        - name: My second cluster name
          type: CLUSTER

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as mongodbatlas from "@pulumi/mongodbatlas";

const test = new mongodbatlas.DatabaseUser("test", {
    username: "test-acc-username",
    x509Type: "MANAGED",
    projectId: "<PROJECT-ID>",
    authDatabaseName: "$external",
    roles: [{
        roleName: "readAnyDatabase",
        databaseName: "admin",
    }],
    labels: [{
        key: "%s",
        value: "%s",
    }],
    scopes: [{
        name: "My cluster name",
        type: "CLUSTER",
    }],
});

import pulumi
import pulumi_mongodbatlas as mongodbatlas

test = mongodbatlas.DatabaseUser("test",
    username="test-acc-username",
    x509_type="MANAGED",
    project_id="<PROJECT-ID>",
    auth_database_name="$external",
    roles=[{
        "role_name": "readAnyDatabase",
        "database_name": "admin",
    }],
    labels=[{
        "key": "%s",
        "value": "%s",
    }],
    scopes=[{
        "name": "My cluster name",
        "type": "CLUSTER",
    }])

package main

import (
	"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := mongodbatlas.NewDatabaseUser(ctx, "test", &mongodbatlas.DatabaseUserArgs{
			Username:         pulumi.String("test-acc-username"),
			X509Type:         pulumi.String("MANAGED"),
			ProjectId:        pulumi.String("<PROJECT-ID>"),
			AuthDatabaseName: pulumi.String("$external"),
			Roles: mongodbatlas.DatabaseUserRoleArray{
				&mongodbatlas.DatabaseUserRoleArgs{
					RoleName:     pulumi.String("readAnyDatabase"),
					DatabaseName: pulumi.String("admin"),
				},
			},
			Labels: mongodbatlas.DatabaseUserLabelArray{
				&mongodbatlas.DatabaseUserLabelArgs{
					Key:   pulumi.String("%s"),
					Value: pulumi.String("%s"),
				},
			},
			Scopes: mongodbatlas.DatabaseUserScopeArray{
				&mongodbatlas.DatabaseUserScopeArgs{
					Name: pulumi.String("My cluster name"),
					Type: pulumi.String("CLUSTER"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Mongodbatlas = Pulumi.Mongodbatlas;

return await Deployment.RunAsync(() => 
{
    var test = new Mongodbatlas.DatabaseUser("test", new()
    {
        Username = "test-acc-username",
        X509Type = "MANAGED",
        ProjectId = "<PROJECT-ID>",
        AuthDatabaseName = "$external",
        Roles = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserRoleArgs
            {
                RoleName = "readAnyDatabase",
                DatabaseName = "admin",
            },
        },
        Labels = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserLabelArgs
            {
                Key = "%s",
                Value = "%s",
            },
        },
        Scopes = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserScopeArgs
            {
                Name = "My cluster name",
                Type = "CLUSTER",
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.mongodbatlas.DatabaseUser;
import com.pulumi.mongodbatlas.DatabaseUserArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserRoleArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserLabelArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserScopeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test = new DatabaseUser("test", DatabaseUserArgs.builder()
            .username("test-acc-username")
            .x509Type("MANAGED")
            .projectId("<PROJECT-ID>")
            .authDatabaseName("$external")
            .roles(DatabaseUserRoleArgs.builder()
                .roleName("readAnyDatabase")
                .databaseName("admin")
                .build())
            .labels(DatabaseUserLabelArgs.builder()
                .key("%s")
                .value("%s")
                .build())
            .scopes(DatabaseUserScopeArgs.builder()
                .name("My cluster name")
                .type("CLUSTER")
                .build())
            .build());

    }
}

resources:
  test:
    type: mongodbatlas:DatabaseUser
    properties:
      username: test-acc-username
      x509Type: MANAGED
      projectId: <PROJECT-ID>
      authDatabaseName: $external
      roles:
        - roleName: readAnyDatabase
          databaseName: admin
      labels:
        - key: '%s'
          value: '%s'
      scopes:
        - name: My cluster name
          type: CLUSTER

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as mongodbatlas from "@pulumi/mongodbatlas";

const test = new mongodbatlas.DatabaseUser("test", {
    username: testAwsIamRole.arn,
    projectId: "<PROJECT-ID>",
    authDatabaseName: "$external",
    awsIamType: "ROLE",
    roles: [{
        roleName: "readAnyDatabase",
        databaseName: "admin",
    }],
    labels: [{
        key: "%s",
        value: "%s",
    }],
    scopes: [{
        name: "My cluster name",
        type: "CLUSTER",
    }],
});

import pulumi
import pulumi_mongodbatlas as mongodbatlas

test = mongodbatlas.DatabaseUser("test",
    username=test_aws_iam_role["arn"],
    project_id="<PROJECT-ID>",
    auth_database_name="$external",
    aws_iam_type="ROLE",
    roles=[{
        "role_name": "readAnyDatabase",
        "database_name": "admin",
    }],
    labels=[{
        "key": "%s",
        "value": "%s",
    }],
    scopes=[{
        "name": "My cluster name",
        "type": "CLUSTER",
    }])

package main

import (
	"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := mongodbatlas.NewDatabaseUser(ctx, "test", &mongodbatlas.DatabaseUserArgs{
			Username:         pulumi.Any(testAwsIamRole.Arn),
			ProjectId:        pulumi.String("<PROJECT-ID>"),
			AuthDatabaseName: pulumi.String("$external"),
			AwsIamType:       pulumi.String("ROLE"),
			Roles: mongodbatlas.DatabaseUserRoleArray{
				&mongodbatlas.DatabaseUserRoleArgs{
					RoleName:     pulumi.String("readAnyDatabase"),
					DatabaseName: pulumi.String("admin"),
				},
			},
			Labels: mongodbatlas.DatabaseUserLabelArray{
				&mongodbatlas.DatabaseUserLabelArgs{
					Key:   pulumi.String("%s"),
					Value: pulumi.String("%s"),
				},
			},
			Scopes: mongodbatlas.DatabaseUserScopeArray{
				&mongodbatlas.DatabaseUserScopeArgs{
					Name: pulumi.String("My cluster name"),
					Type: pulumi.String("CLUSTER"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Mongodbatlas = Pulumi.Mongodbatlas;

return await Deployment.RunAsync(() => 
{
    var test = new Mongodbatlas.DatabaseUser("test", new()
    {
        Username = testAwsIamRole.Arn,
        ProjectId = "<PROJECT-ID>",
        AuthDatabaseName = "$external",
        AwsIamType = "ROLE",
        Roles = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserRoleArgs
            {
                RoleName = "readAnyDatabase",
                DatabaseName = "admin",
            },
        },
        Labels = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserLabelArgs
            {
                Key = "%s",
                Value = "%s",
            },
        },
        Scopes = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserScopeArgs
            {
                Name = "My cluster name",
                Type = "CLUSTER",
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.mongodbatlas.DatabaseUser;
import com.pulumi.mongodbatlas.DatabaseUserArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserRoleArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserLabelArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserScopeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test = new DatabaseUser("test", DatabaseUserArgs.builder()
            .username(testAwsIamRole.arn())
            .projectId("<PROJECT-ID>")
            .authDatabaseName("$external")
            .awsIamType("ROLE")
            .roles(DatabaseUserRoleArgs.builder()
                .roleName("readAnyDatabase")
                .databaseName("admin")
                .build())
            .labels(DatabaseUserLabelArgs.builder()
                .key("%s")
                .value("%s")
                .build())
            .scopes(DatabaseUserScopeArgs.builder()
                .name("My cluster name")
                .type("CLUSTER")
                .build())
            .build());

    }
}

resources:
  test:
    type: mongodbatlas:DatabaseUser
    properties:
      username: ${testAwsIamRole.arn}
      projectId: <PROJECT-ID>
      authDatabaseName: $external
      awsIamType: ROLE
      roles:
        - roleName: readAnyDatabase
          databaseName: admin
      labels:
        - key: '%s'
          value: '%s'
      scopes:
        - name: My cluster name
          type: CLUSTER

Example of how to create a OIDC federated authentication user

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as mongodbatlas from "@pulumi/mongodbatlas";

const test = new mongodbatlas.DatabaseUser("test", {
    username: "64d613677e1ad50839cce4db/testUserOr",
    projectId: "6414908c207f4d22f4d8f232",
    authDatabaseName: "admin",
    oidcAuthType: "IDP_GROUP",
    roles: [{
        roleName: "readWriteAnyDatabase",
        databaseName: "admin",
    }],
});

import pulumi
import pulumi_mongodbatlas as mongodbatlas

test = mongodbatlas.DatabaseUser("test",
    username="64d613677e1ad50839cce4db/testUserOr",
    project_id="6414908c207f4d22f4d8f232",
    auth_database_name="admin",
    oidc_auth_type="IDP_GROUP",
    roles=[{
        "role_name": "readWriteAnyDatabase",
        "database_name": "admin",
    }])

package main

import (
	"github.com/pulumi/pulumi-mongodbatlas/sdk/v3/go/mongodbatlas"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := mongodbatlas.NewDatabaseUser(ctx, "test", &mongodbatlas.DatabaseUserArgs{
			Username:         pulumi.String("64d613677e1ad50839cce4db/testUserOr"),
			ProjectId:        pulumi.String("6414908c207f4d22f4d8f232"),
			AuthDatabaseName: pulumi.String("admin"),
			OidcAuthType:     pulumi.String("IDP_GROUP"),
			Roles: mongodbatlas.DatabaseUserRoleArray{
				&mongodbatlas.DatabaseUserRoleArgs{
					RoleName:     pulumi.String("readWriteAnyDatabase"),
					DatabaseName: pulumi.String("admin"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Mongodbatlas = Pulumi.Mongodbatlas;

return await Deployment.RunAsync(() => 
{
    var test = new Mongodbatlas.DatabaseUser("test", new()
    {
        Username = "64d613677e1ad50839cce4db/testUserOr",
        ProjectId = "6414908c207f4d22f4d8f232",
        AuthDatabaseName = "admin",
        OidcAuthType = "IDP_GROUP",
        Roles = new[]
        {
            new Mongodbatlas.Inputs.DatabaseUserRoleArgs
            {
                RoleName = "readWriteAnyDatabase",
                DatabaseName = "admin",
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.mongodbatlas.DatabaseUser;
import com.pulumi.mongodbatlas.DatabaseUserArgs;
import com.pulumi.mongodbatlas.inputs.DatabaseUserRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test = new DatabaseUser("test", DatabaseUserArgs.builder()
            .username("64d613677e1ad50839cce4db/testUserOr")
            .projectId("6414908c207f4d22f4d8f232")
            .authDatabaseName("admin")
            .oidcAuthType("IDP_GROUP")
            .roles(DatabaseUserRoleArgs.builder()
                .roleName("readWriteAnyDatabase")
                .databaseName("admin")
                .build())
            .build());

    }
}

resources:
  test:
    type: mongodbatlas:DatabaseUser
    properties:
      username: 64d613677e1ad50839cce4db/testUserOr
      projectId: 6414908c207f4d22f4d8f232
      authDatabaseName: admin
      oidcAuthType: IDP_GROUP
      roles:
        - roleName: readWriteAnyDatabase
          databaseName: admin

username format: Atlas OIDC IdP ID (found in federation settings), followed by a ‘/’, followed by the IdP group name

Note: OIDC support is only avalible starting in MongoDB 7.0 or later. To learn more, see the MongoDB Atlas documentation.

Create DatabaseUser Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

TypeScript
Python
Go
C#
Java
YAML

new DatabaseUser(name: string, args: DatabaseUserArgs, opts?: CustomResourceOptions);

@overload
def DatabaseUser(resource_name: str,
                 args: DatabaseUserArgs,
                 opts: Optional[ResourceOptions] = None)

@overload
def DatabaseUser(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 auth_database_name: Optional[str] = None,
                 project_id: Optional[str] = None,
                 username: Optional[str] = None,
                 aws_iam_type: Optional[str] = None,
                 labels: Optional[Sequence[DatabaseUserLabelArgs]] = None,
                 ldap_auth_type: Optional[str] = None,
                 oidc_auth_type: Optional[str] = None,
                 password: Optional[str] = None,
                 roles: Optional[Sequence[DatabaseUserRoleArgs]] = None,
                 scopes: Optional[Sequence[DatabaseUserScopeArgs]] = None,
                 x509_type: Optional[str] = None)

func NewDatabaseUser(ctx *Context, name string, args DatabaseUserArgs, opts ...ResourceOption) (*DatabaseUser, error)

public DatabaseUser(string name, DatabaseUserArgs args, CustomResourceOptions? opts = null)

public DatabaseUser(String name, DatabaseUserArgs args)
public DatabaseUser(String name, DatabaseUserArgs args, CustomResourceOptions options)

type: mongodbatlas:DatabaseUser
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args DatabaseUserArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args DatabaseUserArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args DatabaseUserArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args DatabaseUserArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args DatabaseUserArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var databaseUserResource = new Mongodbatlas.DatabaseUser("databaseUserResource", new()
{
    AuthDatabaseName = "string",
    ProjectId = "string",
    Username = "string",
    AwsIamType = "string",
    Labels = new[]
    {
        new Mongodbatlas.Inputs.DatabaseUserLabelArgs
        {
            Key = "string",
            Value = "string",
        },
    },
    LdapAuthType = "string",
    OidcAuthType = "string",
    Password = "string",
    Roles = new[]
    {
        new Mongodbatlas.Inputs.DatabaseUserRoleArgs
        {
            DatabaseName = "string",
            RoleName = "string",
            CollectionName = "string",
        },
    },
    Scopes = new[]
    {
        new Mongodbatlas.Inputs.DatabaseUserScopeArgs
        {
            Name = "string",
            Type = "string",
        },
    },
    X509Type = "string",
});

example, err := mongodbatlas.NewDatabaseUser(ctx, "databaseUserResource", &mongodbatlas.DatabaseUserArgs{
	AuthDatabaseName: pulumi.String("string"),
	ProjectId:        pulumi.String("string"),
	Username:         pulumi.String("string"),
	AwsIamType:       pulumi.String("string"),
	Labels: mongodbatlas.DatabaseUserLabelArray{
		&mongodbatlas.DatabaseUserLabelArgs{
			Key:   pulumi.String("string"),
			Value: pulumi.String("string"),
		},
	},
	LdapAuthType: pulumi.String("string"),
	OidcAuthType: pulumi.String("string"),
	Password:     pulumi.String("string"),
	Roles: mongodbatlas.DatabaseUserRoleArray{
		&mongodbatlas.DatabaseUserRoleArgs{
			DatabaseName:   pulumi.String("string"),
			RoleName:       pulumi.String("string"),
			CollectionName: pulumi.String("string"),
		},
	},
	Scopes: mongodbatlas.DatabaseUserScopeArray{
		&mongodbatlas.DatabaseUserScopeArgs{
			Name: pulumi.String("string"),
			Type: pulumi.String("string"),
		},
	},
	X509Type: pulumi.String("string"),
})

var databaseUserResource = new DatabaseUser("databaseUserResource", DatabaseUserArgs.builder()
    .authDatabaseName("string")
    .projectId("string")
    .username("string")
    .awsIamType("string")
    .labels(DatabaseUserLabelArgs.builder()
        .key("string")
        .value("string")
        .build())
    .ldapAuthType("string")
    .oidcAuthType("string")
    .password("string")
    .roles(DatabaseUserRoleArgs.builder()
        .databaseName("string")
        .roleName("string")
        .collectionName("string")
        .build())
    .scopes(DatabaseUserScopeArgs.builder()
        .name("string")
        .type("string")
        .build())
    .x509Type("string")
    .build());

database_user_resource = mongodbatlas.DatabaseUser("databaseUserResource",
    auth_database_name="string",
    project_id="string",
    username="string",
    aws_iam_type="string",
    labels=[{
        "key": "string",
        "value": "string",
    }],
    ldap_auth_type="string",
    oidc_auth_type="string",
    password="string",
    roles=[{
        "database_name": "string",
        "role_name": "string",
        "collection_name": "string",
    }],
    scopes=[{
        "name": "string",
        "type": "string",
    }],
    x509_type="string")

const databaseUserResource = new mongodbatlas.DatabaseUser("databaseUserResource", {
    authDatabaseName: "string",
    projectId: "string",
    username: "string",
    awsIamType: "string",
    labels: [{
        key: "string",
        value: "string",
    }],
    ldapAuthType: "string",
    oidcAuthType: "string",
    password: "string",
    roles: [{
        databaseName: "string",
        roleName: "string",
        collectionName: "string",
    }],
    scopes: [{
        name: "string",
        type: "string",
    }],
    x509Type: "string",
});

type: mongodbatlas:DatabaseUser
properties:
    authDatabaseName: string
    awsIamType: string
    labels:
        - key: string
          value: string
    ldapAuthType: string
    oidcAuthType: string
    password: string
    projectId: string
    roles:
        - collectionName: string
          databaseName: string
          roleName: string
    scopes:
        - name: string
          type: string
    username: string
    x509Type: string

DatabaseUser Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The DatabaseUser resource accepts the following input properties:

AuthDatabaseName string

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

ProjectId string

The unique ID for the project to create the database user.

Username string

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

AwsIamType string

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

Labels List<DatabaseUserLabel>

LdapAuthType string

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

OidcAuthType string

Human-readable label that indicates whether the new database user authenticates with OIDC (OpenID Connect) federated authentication. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

Password string

Roles List<DatabaseUserRole>

List of user’s roles and the databases / collections on which the roles apply. A role allows the user to perform particular actions on the specified database. A role on the admin database can include privileges that apply to the other databases as well. See Roles below for more details.

Scopes List<DatabaseUserScope>

X509Type string

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

AuthDatabaseName string

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

ProjectId string

The unique ID for the project to create the database user.

Username string

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

AwsIamType string

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

Labels []DatabaseUserLabelArgs

LdapAuthType string

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

OidcAuthType string

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

Password string

Roles []DatabaseUserRoleArgs

Scopes []DatabaseUserScopeArgs

X509Type string

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

authDatabaseName String

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

projectId String

The unique ID for the project to create the database user.

username String

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

awsIamType String

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

labels List<DatabaseUserLabel>

ldapAuthType String

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

oidcAuthType String

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

password String

roles List<DatabaseUserRole>

scopes List<DatabaseUserScope>

x509Type String

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

authDatabaseName string

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

projectId string

The unique ID for the project to create the database user.

username string

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

awsIamType string

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

labels DatabaseUserLabel[]

ldapAuthType string

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

oidcAuthType string

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

password string

roles DatabaseUserRole[]

scopes DatabaseUserScope[]

x509Type string

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

auth_database_name str

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

project_id str

The unique ID for the project to create the database user.

username str

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

aws_iam_type str

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

labels Sequence[DatabaseUserLabelArgs]

ldap_auth_type str

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

oidc_auth_type str

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

password str

roles Sequence[DatabaseUserRoleArgs]

scopes Sequence[DatabaseUserScopeArgs]

x509_type str

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

authDatabaseName String

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

projectId String

The unique ID for the project to create the database user.

username String

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

awsIamType String

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

labels List<Property Map>

ldapAuthType String

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

oidcAuthType String

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

password String

roles List<Property Map>

scopes List<Property Map>

x509Type String

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

Outputs

All input properties are implicitly available as output properties. Additionally, the DatabaseUser resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing DatabaseUser Resource

Get an existing DatabaseUser resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: DatabaseUserState, opts?: CustomResourceOptions): DatabaseUser

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        auth_database_name: Optional[str] = None,
        aws_iam_type: Optional[str] = None,
        labels: Optional[Sequence[DatabaseUserLabelArgs]] = None,
        ldap_auth_type: Optional[str] = None,
        oidc_auth_type: Optional[str] = None,
        password: Optional[str] = None,
        project_id: Optional[str] = None,
        roles: Optional[Sequence[DatabaseUserRoleArgs]] = None,
        scopes: Optional[Sequence[DatabaseUserScopeArgs]] = None,
        username: Optional[str] = None,
        x509_type: Optional[str] = None) -> DatabaseUser

func GetDatabaseUser(ctx *Context, name string, id IDInput, state *DatabaseUserState, opts ...ResourceOption) (*DatabaseUser, error)

public static DatabaseUser Get(string name, Input<string> id, DatabaseUserState? state, CustomResourceOptions? opts = null)

public static DatabaseUser get(String name, Output<String> id, DatabaseUserState state, CustomResourceOptions options)

resources:  _:    type: mongodbatlas:DatabaseUser    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AuthDatabaseName string

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

AwsIamType string

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

Labels List<DatabaseUserLabel>

LdapAuthType string

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

OidcAuthType string

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

Password string

ProjectId string

The unique ID for the project to create the database user.

Roles List<DatabaseUserRole>

Scopes List<DatabaseUserScope>

Username string

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

X509Type string

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

AuthDatabaseName string

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

AwsIamType string

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

Labels []DatabaseUserLabelArgs

LdapAuthType string

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

OidcAuthType string

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

Password string

ProjectId string

The unique ID for the project to create the database user.

Roles []DatabaseUserRoleArgs

Scopes []DatabaseUserScopeArgs

Username string

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

X509Type string

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

authDatabaseName String

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

awsIamType String

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

labels List<DatabaseUserLabel>

ldapAuthType String

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

oidcAuthType String

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

password String

projectId String

The unique ID for the project to create the database user.

roles List<DatabaseUserRole>

scopes List<DatabaseUserScope>

username String

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

x509Type String

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

authDatabaseName string

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

awsIamType string

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

labels DatabaseUserLabel[]

ldapAuthType string

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

oidcAuthType string

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

password string

projectId string

The unique ID for the project to create the database user.

roles DatabaseUserRole[]

scopes DatabaseUserScope[]

username string

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

x509Type string

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

auth_database_name str

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

aws_iam_type str

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

labels Sequence[DatabaseUserLabelArgs]

ldap_auth_type str

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

oidc_auth_type str

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

password str

project_id str

The unique ID for the project to create the database user.

roles Sequence[DatabaseUserRoleArgs]

scopes Sequence[DatabaseUserScopeArgs]

username str

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

x509_type str

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

authDatabaseName String

Database against which Atlas authenticates the user. A user must provide both a username and authentication database to log into MongoDB. Accepted values include:

awsIamType String

If this value is set, the new database user authenticates with AWS IAM credentials. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use AWS IAM credentials.
USER - New database user has AWS IAM user credentials.
ROLE - New database user has credentials associated with an AWS IAM role.

labels List<Property Map>

ldapAuthType String

Method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE.

NONE - Atlas authenticates this user through SCRAM-SHA, not LDAP.
USER - LDAP server authenticates this user through the user's LDAP user. username must also be a fully qualified distinguished name, as defined in RFC-2253.
GROUP - LDAP server authenticates this user using their LDAP user and authorizes this user using their LDAP group. To learn more about LDAP security, see Set up User Authentication and Authorization with LDAP. username must also be a fully qualified distinguished name, as defined in RFC-2253.

oidcAuthType String

NONE - The user does not use OIDC federated authentication.
IDP_GROUP - OIDC Workforce federated authentication group. To learn more about OIDC federated authentication, see Set up Workforce Identity Federation with OIDC.
USER - OIDC Workload federated authentication user. To learn more about OIDC federated authentication, see Set up Workload Identity Federation with OIDC.

password String

projectId String

The unique ID for the project to create the database user.

roles List<Property Map>

scopes List<Property Map>

username String

Username for authenticating to MongoDB. USER_ARN or ROLE_ARN if aws_iam_type is USER or ROLE.

x509Type String

X.509 method by which the provided username is authenticated. If no value is given, Atlas uses the default value of NONE. The accepted types are:

NONE - The user does not use X.509 authentication.
MANAGED - The user is being created for use with Atlas-managed X.509.Externally authenticated users can only be created on the $external database.
CUSTOMER - The user is being created for use with Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the username field. Externally authenticated users can only be created on the $external database.

Supporting Types

DatabaseUserLabel
, DatabaseUserLabelArgs

Key string: The key that you want to write.
Value string: The value that you want to write.

Key string: The key that you want to write.
Value string: The value that you want to write.

key String: The key that you want to write.
value String: The value that you want to write.

key string: The key that you want to write.
value string: The value that you want to write.

key str: The key that you want to write.
value str: The value that you want to write.

key String: The key that you want to write.
value String: The value that you want to write.

DatabaseUserRole
, DatabaseUserRoleArgs

DatabaseName string: Database on which the user has the specified role. A role on the admin database can include privileges that apply to the other databases. This field should be set to admin for a custom MongoDB role.
RoleName string: Name of the role to grant. See Create a Database User roles.roleName for valid values and restrictions.
CollectionName string: Collection for which the role applies. You can specify a collection for the read and readWrite roles. If you do not specify a collection for read and readWrite, the role applies to all collections in the database (excluding some collections in the system. database).

DatabaseName string: Database on which the user has the specified role. A role on the admin database can include privileges that apply to the other databases. This field should be set to admin for a custom MongoDB role.
RoleName string: Name of the role to grant. See Create a Database User roles.roleName for valid values and restrictions.
CollectionName string: Collection for which the role applies. You can specify a collection for the read and readWrite roles. If you do not specify a collection for read and readWrite, the role applies to all collections in the database (excluding some collections in the system. database).

databaseName String: Database on which the user has the specified role. A role on the admin database can include privileges that apply to the other databases. This field should be set to admin for a custom MongoDB role.
roleName String: Name of the role to grant. See Create a Database User roles.roleName for valid values and restrictions.
collectionName String: Collection for which the role applies. You can specify a collection for the read and readWrite roles. If you do not specify a collection for read and readWrite, the role applies to all collections in the database (excluding some collections in the system. database).

databaseName string: Database on which the user has the specified role. A role on the admin database can include privileges that apply to the other databases. This field should be set to admin for a custom MongoDB role.
roleName string: Name of the role to grant. See Create a Database User roles.roleName for valid values and restrictions.
collectionName string: Collection for which the role applies. You can specify a collection for the read and readWrite roles. If you do not specify a collection for read and readWrite, the role applies to all collections in the database (excluding some collections in the system. database).

database_name str: Database on which the user has the specified role. A role on the admin database can include privileges that apply to the other databases. This field should be set to admin for a custom MongoDB role.
role_name str: Name of the role to grant. See Create a Database User roles.roleName for valid values and restrictions.
collection_name str: Collection for which the role applies. You can specify a collection for the read and readWrite roles. If you do not specify a collection for read and readWrite, the role applies to all collections in the database (excluding some collections in the system. database).

databaseName String: Database on which the user has the specified role. A role on the admin database can include privileges that apply to the other databases. This field should be set to admin for a custom MongoDB role.
roleName String: Name of the role to grant. See Create a Database User roles.roleName for valid values and restrictions.
collectionName String: Collection for which the role applies. You can specify a collection for the read and readWrite roles. If you do not specify a collection for read and readWrite, the role applies to all collections in the database (excluding some collections in the system. database).

DatabaseUserScope
, DatabaseUserScopeArgs

Name string: Name of the cluster or Atlas Data Lake that the user has access to.
Type string: Type of resource that the user has access to. Valid values are: CLUSTER and DATA_LAKE

Name string: Name of the cluster or Atlas Data Lake that the user has access to.
Type string: Type of resource that the user has access to. Valid values are: CLUSTER and DATA_LAKE

name String: Name of the cluster or Atlas Data Lake that the user has access to.
type String: Type of resource that the user has access to. Valid values are: CLUSTER and DATA_LAKE

name string: Name of the cluster or Atlas Data Lake that the user has access to.
type string: Type of resource that the user has access to. Valid values are: CLUSTER and DATA_LAKE

name str: Name of the cluster or Atlas Data Lake that the user has access to.
type str: Type of resource that the user has access to. Valid values are: CLUSTER and DATA_LAKE

name String: Name of the cluster or Atlas Data Lake that the user has access to.
type String: Type of resource that the user has access to. Valid values are: CLUSTER and DATA_LAKE

Import

Database users can be imported using project ID, username, and auth database name in the format:

project_id-username-auth_database_name Only works if no - are used for username/auth_database_name. For example my-username should use (2).
project_id/username/auth_database_name Works in all cases (introduced after (1))

$ pulumi import mongodbatlas:index/databaseUser:DatabaseUser my_user 1112222b3bf99403840e8934-my_user-admin # (1)

$ pulumi import mongodbatlas:index/databaseUser:DatabaseUser my_user 1112222b3bf99403840e8934/my-username-dash/my-db-name # (2)

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: MongoDB Atlas pulumi/pulumi-mongodbatlas
License: Apache-2.0
Notes: This Pulumi package is based on the mongodbatlas Terraform Provider.

MongoDB Atlas v3.30.0 published on Friday, Mar 21, 2025 by Pulumi

pulumi/pulumi-mongodbatlas

mongodbatlas.DatabaseUser

On this page

On this page

# Resource: mongodbatlas.DatabaseUser

Example Usage

S

Example of how to create a OIDC federated authentication user

Create DatabaseUser Resource

Constructor syntax

Parameters

Constructor example

DatabaseUser Resource Properties

Inputs

Outputs

Look up Existing DatabaseUser Resource

Supporting Types

DatabaseUserLabel
, DatabaseUserLabelArgs

DatabaseUserRole
, DatabaseUserRoleArgs

DatabaseUserScope
, DatabaseUserScopeArgs

Import

Package Details

On this page

On this page

mongodbatlas.DatabaseUser

On this page

On this page

# Resource: mongodbatlas.DatabaseUser

Example Usage

S

Example of how to create a OIDC federated authentication user

Create DatabaseUser Resource

Constructor syntax

Parameters

Constructor example

DatabaseUser Resource Properties

Inputs

Outputs

Look up Existing DatabaseUser Resource

Supporting Types

DatabaseUserLabel, DatabaseUserLabelArgs

DatabaseUserRole, DatabaseUserRoleArgs

DatabaseUserScope, DatabaseUserScopeArgs

Import

Package Details

On this page

On this page

DatabaseUserLabel
, DatabaseUserLabelArgs

DatabaseUserRole
, DatabaseUserRoleArgs

DatabaseUserScope
, DatabaseUserScopeArgs