# MongoDB ### Overview The Veza integration for MongoDB supports on-premise deployments and the MongoDB Atlas Database-as-a-service (DBaaS) platform. It enables discovery of standalone MongoDB clusters, MongoDB Atlas user permissions, and User permissions on MongoDB databases deployed in Atlas. After configuring the integration, you can use Veza Search, Workflows, and Insights to: * Show all Database Users, and the built-in or custom Database Roles a User has for each Database * Show the effective permissions Database Users have on the Databases and Clusters they have access to. * Show the effective permissions Users have on Clusters, Serverless Instances, and Global Clusters. * Show the Atlas Organizations and Projects accessible by Users in an Atlas Account, and what Atlas Roles users can assume. * Show Atlas Organizations that Atlas Users belong to, and the teams they belong to in those Organizations. This documentation includes instructions to: * [Configure MongoDB Atlas](#configuring-mongodb-atlas) * [Configure standalone MongoDB](#configuring-mongodb-standalone) * [Add a MongoDB integration (Atlas or standalone) to Veza](#configuring-mongodb-on-the-veza-platform) See [notes and supported entities](#notes-and-supported-entities) for more details. ### Configuring MongoDB Atlas Veza connects to MongoDB Atlas using API Keys. You will need to enter the Public Key and Private Key to configure the integration in Veza. Additionally, Veza will need a username and password of a MongoDB Atlas User authorized for each project in the Organization to discover. * You will need the `Organization Owner` permission to grant API access to your Atlas organization. * The clusters to discover need to be accessible over internet, or allow communication with a deployed [Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md). Follow [this guide](https://www.mongodb.com/docs/atlas/security/ip-access-list/) to configure network access for MongoDB Atlas. As a user with the Project Owner role, you will need to: * Using the UI: Under the **Security** section, click **Network Access** to open the IP Access List tab. Click **Add IP Address**. * Using Atlas CLI: Use [atlas accessLists create](https://www.mongodb.com/docs/atlas/cli/stable/command/atlas-accessLists-create/): ```shell # Create an access list entry for the IP address 192.0.2.15 in the project with ID 5e2211c17a3e5a48f5497de3: atlas accessList create 192.0.2.15 --type ipAddress --projectId 5e2211c17a3e5a48f5497de3 --comment "IP address for app server 2" --output json ``` * Veza does not support the MongoDB [Atlas Data API](https://www.mongodb.com/docs/atlas/app-services/data-api/data-api-deprecation/) (deprecated September 2024, end-of-life September 2025). {% hint style="info" %} **AWS IAM Roles (Early Access)**: AWS customers can optionally use the “Assume AWS Role” connection type when creating a MongoDB Atlas integration. This can be a new role or the same one used for the [AWS integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws.md#using-an-iam-role). To configure the MongoDB connection, you will provide the: * **Role ARN**: The ARN of the AWS IAM role that will be used to perform the extraction. * **External ID**: AWS IAM role external ID (similar to the “External ID” input in AWS integration) When creating MongoDB Atlas database users in the following section, instead of adding usernames and passwords, choose the option to [use an AWS IAM role](https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#database-user-authentication) and use the role ARN. {% endhint %} #### Generate Atlas Administration API credentials for the MongoDB organization Create an API Key within the Atlas Organization Veza will connect to. The API key must have the scope `Organization Read Only`. To create a key from the Atlas UI: 1. Open your organization's **Access Manager** page 2. Click **Create API Key**. 3. Give the key a name and description. 4. Assign a new role for the API key with the `Organization Read Only` scope. 5. Click **Next** to view the Public and Private Keys. 6. Copy the keys and save them in a secure location. Note that the private key is only shown one time. 7. Add an **API Access List Entry**. Enter the IP address or CIDR block corresponding to your Veza Platform or Insight Point. **Save** the configuration. 8. Click **Done**. See the [Configure API Access](https://www.mongodb.com/docs/atlas/configure-api-access/#create-an-api-key-in-an-organization) documentation for more details. #### Create a database user for each of the projects in the MongoDB organization Add database users for each project in the Organization. To create a new user using password authentication with the Atlas UI: 1. On the left navigation, click **Security** > **Database Access**. Click **Add New Database User**. 2. Choose **Password** for the **Authentication Method**. 3. Enter a username and password. You can optionally **Autogenerate** the password. Note that the password and username must be the same for each project user you will create. 4. Grant the user the **Built-in Role** `AtlasAdmin`. This is the only role granting the `viewRole` capability. 5. Optionally, set a **Temporary User** duration. You can also opt to **Restrict Access** to specific clusters and federated databases. 6. Click **Add User**. See the [Add MongoDB Users](https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#add-database-users) documentation for more details. ### Configuring MongoDB (standalone) To discover a standalone MongoDB cluster, Veza connects as a local user with the following permissions: * `listDatabases` on cluster * `find` on `system.users` collection in any database * `viewRole` on any collection in any database You should deploy an [Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) within the same network as the cluster for a secure connection. #### Create local user and role Connect to the standalone deployment and run the following command to create a role with the required permissions, and create a user with the role: ```mql use admin db.createRole( { role: "veza-extractor-role", privileges: [ { resource: { cluster: true }, actions: [ "listDatabases" ] }, { resource: { db: "", collection: "system.users" }, actions: [ "find" ] }, { resource: { db: "", collection: "" }, actions: [ "viewRole" ] } ], roles: [] } ) db.createUser( { user: "veza-extractor-user", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "veza-extractor-role", db: "admin" } ] } ) ``` After creating a user and assigning the required permissions, configure the integration on Veza by providing the username, password, and the URI of the MongoDB cluster. ### Configuring MongoDB on the Veza Platform After preparing the required credentials, log in to Veza as an administrator to add the integration: 1. In Veza, open the **Integrations** page. 2. Click **Add New** and pick **MongoDB** or **MongoDB Atlas** as the type of integration to add 3. Enter the required information and *Save* the configuration #### Standalone MongoDB To create the MongoDB Atlas integration, you will need the database URI and the username and password created when [Configuring MongoDB (standalone)](#configuring-mongodb-standalone) | Field | Notes | | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | Insight Point | Choose the Insight Point to use for the connection. | | Name | Enter a friendly name to identify the unique MongoDB integration | | Database URI | Cluster [Connection String](https://www.mongodb.com/docs/manual/reference/connection-string/) e.g. `mongodb://mongodb0.example.com:28015` | | Username | Database user name for the integration | | Password | Database user password for the integration | #### MongoDB Atlas To create the MongoDB Atlas integration, you will need the API credentials, username, and password created when [Configuring MongoDB Atlas](#configuring-mongodb-atlas) | Field | Notes | | ------------- | ------------------------------------------------------------------------------------------- | | Insight Point | Choose the Insight Point to use for the connection, or use the internal Veza Insight Point. | | Public Key | Public API Key created for the Atlas Organization | | Private Key | Private API Key created for the Atlas Organization | | Username | Username of the database user(s) for project-level discovery | | Password | Password of the database user(s) for project-level discovery | To discover more than one Organizations in a single Account, click **Add Key Pair** to add additional API credentials. ### Notes and Supported Entities Veza supports the following entity types and entity attributes: #### MongoDB Atlas Account Represents the overarching account associated with MongoDB Atlas, typically belonging to an organization or individual. | Attribute | Type | Description | | ------------ | ------ | ------------------------ | | `account_id` | String | Atlas account identifier | #### MongoDB Atlas User Represents a user account within MongoDB Atlas, identified by a unique ID and associated with an email address. | Attribute | Type | Description | | --------------- | ------- | ----------------------------------- | | `account_id` | String | Atlas account identifier | | `user_id` | String | Unique user identifier within Atlas | | `email` | String | User's email address | | `identity_type` | String | Identity type (always "HUMAN") | | `is_active` | Boolean | User active status (always true) | #### MongoDB Atlas Organization Represents an organization in MongoDB Atlas, identifiable by its unique ID and organizational name. | Attribute | Type | Description | | ----------------- | ------ | ------------------------------------------- | | `account_id` | String | Atlas account identifier | | `organization_id` | String | Unique organization identifier within Atlas | #### MongoDB Atlas Organization Role Denotes the role or permissions assigned to a user within a MongoDB Atlas organization, governing their access and privileges. | Attribute | Type | Description | | ------------------------- | ----------- | --------------------------------------------- | | `principal_datasource_id` | String | Principal (user) datasource identifier | | `resource_datasource_id` | String | Resource (organization) datasource identifier | | `permissions` | String List | List of granted permissions | #### MongoDB Atlas Project Represents a project in MongoDB Atlas, identified by a unique ID and a descriptive name, used for grouping related resources. | Attribute | Type | Description | | ----------------- | ------ | -------------------------------------- | | `account_id` | String | Atlas account identifier | | `organization_id` | String | Parent organization identifier | | `project_id` | String | Unique project identifier within Atlas | #### MongoDB Atlas Project Role Denotes the role or permissions assigned to a user within a MongoDB Atlas project, governing their access and privileges to project resources. | Attribute | Type | Description | | ------------------------- | ----------- | ---------------------------------------- | | `principal_datasource_id` | String | Principal (user) datasource identifier | | `resource_datasource_id` | String | Resource (project) datasource identifier | | `permissions` | String List | List of granted permissions | #### MongoDB Atlas Team Represents a team within a MongoDB Atlas project, identifiable by a unique ID and a name, used for collaborative project management. | Attribute | Type | Description | | ----------------- | ------ | ----------------------------------- | | `account_id` | String | Atlas account identifier | | `organization_id` | String | Parent organization identifier | | `team_id` | String | Unique team identifier within Atlas | #### MongoDB Database Deployment Refers to a specific deployment of a MongoDB database, characterized by a unique ID, a name, type, and an indication of its operational status (paused or active). | Attribute | Type | Description | | -------------------------- | ------- | ---------------------------------------------- | | `account_id` | String | Atlas account identifier | | `organization_id` | String | Parent organization identifier | | `project_id` | String | Parent project identifier | | `database_deployment_id` | String | Unique deployment identifier | | `database_deployment_type` | String | Type of deployment (cluster, serverless, etc.) | | `paused` | Boolean | Whether the deployment is paused | #### MongoDB Database User Represents a user account with specific access rights within a MongoDB database, defined by a username and the associated database name. | Attribute | Type | Description | | ----------------- | ------- | -------------------------------- | | `account_id` | String | Atlas account identifier | | `organization_id` | String | Parent organization identifier | | `project_id` | String | Parent project identifier | | `username` | String | Database username | | `database_name` | String | Target database name | | `identity_type` | String | Identity type (always "HUMAN") | | `is_active` | Boolean | User active status (always true) | When configuring a **standalone MongoDB cluster**, Veza discovers the following entities: #### MongoDB Cluster Represents an independent MongoDB database cluster, typically running on a single server or a set of servers, used for data storage and retrieval. | Attribute | Type | Description | | ------------ | ------ | -------------------------- | | `cluster_id` | String | MongoDB cluster identifier | #### MongoDB User Denotes a user account associated with a standalone MongoDB cluster. MongoDB User entities have a unique ID and includes information about the associated database and the username for authentication. | Attribute | Type | Description | | --------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------- | | `cluster_id` | String | MongoDB cluster identifier | | `database_name` | String | Database where user is defined | | `user_id` | String | Unique user identifier | | `username` | String | Database username | | `external` | Boolean | Whether user is external (e.g., AWS IAM) | | `identity_type` | String | Identity type (always "HUMAN") | | `is_active` | Boolean | User active status (always true) | | `aws_account_id` | String | AWS account ID (if applicable) | | `authentication_mechanisms` | String list | Authentication mechanisms configured for this user. Values: `SCRAM-SHA-256`, `SCRAM-SHA-1`, `MONGODB-X509`, `GSSAPI`. | #### MongoDB Database Represents an individual database within a cluster, used for organizing and storing collections of data. | Attribute | Type | Description | | ------------ | ------ | --------------------------------- | | `cluster_id` | String | Parent MongoDB cluster identifier | #### MongoDB Role Denotes a role or set of permissions assigned to a user within a standalone MongoDB cluster, governing their access and privileges to perform operations on databases and collections. It is identified by a unique ID. | Attribute | Type | Description | | --------------- | ------ | ------------------------------ | | `cluster_id` | String | MongoDB cluster identifier | | `database_name` | String | Database where role is defined | | `role_id` | String | Unique role identifier | #### MongoDB Effective Permission Represents computed effective permissions that MongoDB users have on cluster and database resources, derived from their assigned roles and privileges. | Attribute | Type | Description | | ------------------------- | ----------- | ------------------------------------------------- | | `principal_datasource_id` | String | Principal (user) datasource identifier | | `resource_datasource_id` | String | Resource (cluster/database) datasource identifier | | `permissions` | String List | List of effective permissions | | `privilege_source` | String | Source of the privilege (role, inheritance, etc.) | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/mongodb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.