Skip to content

doc: DOCSP-54251 & DOCSP-54252 -- Document how to move from or to Service Accounts authentication #3753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: CLOUDP-334161-service-accounts-dev
Choose a base branch
from
Open

doc: DOCSP-54251 & DOCSP-54252 -- Document how to move from or to Service Accounts authentication #3753

wants to merge 10 commits into from
+208 −20

Conversation

xargom
Copy link
Collaborator

@xargom xargom commented Oct 6, 2025
edited
Loading

Description

DOCSP-54251

DOCSP-54252

Creates a guide to move to Service Accounts auth and updates the landing page with SA as the first auth option.

Link to any related issue(s):

Type of change:

  • Bug fix (non-breaking change which fixes an issue). Please, add the "bug" label to the PR.
  • New feature (non-breaking change which adds functionality). Please, add the "enhancement" label to the PR. A migration guide must be created or updated if the new feature will go in a major version.
  • Breaking change (fix or feature that would cause existing functionality to not work as expected). Please, add the "breaking change" label to the PR. A migration guide must be created or updated.
  • This change requires a documentation update
  • [ x ] Documentation fix/enhancement

Required Checklist:

  • I have signed the MongoDB CLA
  • I have read the contributing guides
  • I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
  • I have added tests that prove my fix is effective or that my feature works per HashiCorp requirements
  • I have added any necessary documentation (if appropriate)
  • I have run make fmt and formatted my code
  • If changes include deprecations or removals I have added appropriate changelog entries.
  • If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Further comments

@xargom xargom requested a review from a team as a code owner October 6, 2025 22:34
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 6, 2025

APIx bot: a message has been sent to Docs Slack channel

marcosuma
marcosuma reviewed Oct 7, 2025
View reviewed changes
docs/guides/migrate-to-service-accounts-authentication-guide.md Outdated

The JWT token is only valid during its set duration time. See [Generate Service Account Token](https://www.mongodb.com/docs/atlas/api/service-accounts/generate-oauth2-token/#std-label-generate-oauth2-token-atlas) for more details on creating an SA token.

**IMPORTANT:** Currently, the MongoDB Terraform provider does not support additional Token OAuth features.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: what do we mean with this?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely the phrasing is not the better (changes incoming), but there are 3 ideas here:

  1. The token expires.
  2. Redirect the user to the Atlas SA docs.
  3. "the MongoDB Terraform provider does not support additional Token OAuth features." I'm explicitly stating a suggestion mentioned in the project scope doc: https://docs.google.com/document/d/1PuAwTTNbVLUsqMH9wmmHKUCbEojhkQ_oHL2ONxwXZhs/edit?tab=t.0#heading=h.5c9t51nomy3f. However, i'm not sure if we actually need to have this in the final version.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need @bodegus inputs here, can you reach out to him?

kanchana-mongodb
kanchana-mongodb reviewed Oct 7, 2025
View reviewed changes
@xargom xargom requested a review from oarbusi October 7, 2025 18:28
@xargom xargom requested a review from a team as a code owner October 7, 2025 18:39
xargom and others added 5 commits October 7, 2025 12:45
@xargom
DOCSP-54251 -- 1ST draft of guide for using SA auth
dc87d3c
@xargom @kanchana-mongodb
Apply suggestions from code review
4895ec4 
Co-authored-by: kanchana-mongodb <54281287+kanchana-mongodb@users.noreply.github.com>
@xargom @kanchana-mongodb
Update docs/guides/migrate-to-service-accounts-authentication-guide.md
cd61fcf 
Co-authored-by: kanchana-mongodb <54281287+kanchana-mongodb@users.noreply.github.com>
@xargom
DOCSP-54251 -- Addressed feedback
56b31fb
@xargom
DOCSP-54251 -- Changed typos
d11783d
@xargom xargom changed the title doc: DOCSP-54251 -- Document how to move from or to Service Accounts authentication doc: DOCSP-54251 & DOCSP-54252 -- Document how to move from or to Service Accounts authentication Oct 7, 2025
@xargom
Copy link
Collaborator Author

xargom commented Oct 7, 2025

Added the changes related to DOCSP-54252 since it seemed easier to manage it all in one PR.

lantoli
lantoli reviewed Oct 8, 2025
View reviewed changes
lantoli
lantoli reviewed Oct 8, 2025
View reviewed changes
lantoli
lantoli reviewed Oct 8, 2025
View reviewed changes
lantoli
lantoli reviewed Oct 8, 2025
View reviewed changes
docs/guides/migrate-to-service-accounts-authentication-guide.md
}
```

Consider that the access token is **valid for one hour only**.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we also mention the 10 token / minute rate limiting when using SA client_id and client_secret?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see why not. I added it.

lantoli
lantoli reviewed Oct 8, 2025
View reviewed changes
xargom and others added 4 commits October 8, 2025 10:31
xargom
xargom commented Oct 8, 2025
View reviewed changes
docs/index.md
See [Migration Guide: Service Accounts Authentication](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/guides/migrate-to-service-accounts-authentication-guide) for more
details on setting up SA authentication.

### AWS Secrets Manager
Copy link
Collaborator Author

@xargom xargom Oct 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lantoli Do the auth methods currently described in the landing page use PAK? If so, and the idea is to discourage using PAK, should we replace them all with SA information?

Just trying to figure out if mixing PAK and SA info in the index may lead to confusions.

@xargom xargom requested review from lantoli and manupedrozo October 8, 2025 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oarbusi oarbusi Awaiting requested review from oarbusi

@marcosuma marcosuma Awaiting requested review from marcosuma

@kanchana-mongodb kanchana-mongodb Awaiting requested review from kanchana-mongodb

@lantoli lantoli Awaiting requested review from lantoli

@manupedrozo manupedrozo Awaiting requested review from manupedrozo

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@xargom @lantoli @marcosuma @manupedrozo @kanchana-mongodb