User Guide
Release Notes

MongoDB

Configuring the Veza integration for MongoDB and MongoDB Atlas

Overview

The Veza integration for MongoDB supports on-premise deployments and the MongoDB Atlas Database-as-a-service (DBaaS) platform. It enables discovery of standalone MongoDB clusters, MongoDB Atlas user permissions, and User permissions on MongoDB databases deployed in Atlas. After configuring the integration, you can use Veza Search, Workflows, and Insights to:

  • Show all Database Users, and the built-in or custom Database Roles a User has for each Database

  • Show the effective permissions Database Users have on the Databases and Clusters they have access to.

  • Show the effective permissions Users have on Clusters, Serverless Instances, and Global Clusters.

  • Show the Atlas Organizations and Projects accessible by Users in an Atlas Account, and what Atlas Roles users can assume.

  • Show Atlas Organizations that Atlas Users belong to, and the teams they belong to in those Organizations.

This documentation includes instructions to:

See notes and supported entities for more details.

Configuring MongoDB Atlas

Veza connects to MongoDB Atlas using API Keys. You will need to enter the Public Key and Private Key to configure the integration in Veza. Additionally, Veza will need a username and password of a MongoDB Atlas User authorized for each project in the Organization to discover.

  • You will need the Organization Owner permission to grant API access to your Atlas organization.

  • The clusters to discover need to be accessible over internet, or allow communication with a deployed Insight Point. Follow this guide to configure network access for MongoDB Atlas. As a user with the Project Owner role, you will need to:

    • Using the UI: Under the Security section, click Network Access to open the IP Access List tab. Click Add IP Address.

    • Using Atlas CLI: Use atlas accessLists create:

      # Create an access list entry for the IP address 192.0.2.15 in the project with ID 5e2211c17a3e5a48f5497de3:
atlas accessList create 192.0.2.15 --type ipAddress --projectId 5e2211c17a3e5a48f5497de3 --comment "IP address for app server 2" --output json

  • Veza does not currently support the MongoDB Atlas Data API. If enabled, Veza will not detect programmatic access users might have to MongoDB data.

AWS IAM Roles (Early Access): AWS customers can optionally use the “Assume AWS Role” connection type when creating a MongoDB Atlas integration. This can be a new role or the same one used for the AWS integration. To configure the MongoDB connection, you will provide the:

  • Role ARN: The ARN of the AWS IAM role that will be used to perform the extraction.

  • External ID: AWS IAM role external ID (similar to the “External ID” input in AWS integration)

When creating MongoDB Atlas database users in the following section, instead of adding usernames and passwords, choose the option to use an AWS IAM role and use the role ARN.

Generate Atlas Administration API credentials for the MongoDB organization

Create an API Key within the Atlas Organization Veza will connect to. The API key must have the scope Organization Read Only.

To create a key from the Atlas UI:

  1. Open your organization's Access Manager page

  2. Click Create API Key.

  3. Give the key a name and description.

  4. Assign a new role for the API key with the Organization Read Only scope.

  5. Click Next to view the Public and Private Keys.

  6. Copy the keys and save them in a secure location. Note that the private key is only shown one time.

  7. Add an API Access List Entry. Enter the IP address or CIDR block corresponding to your Veza Platform or Insight Point. Save the configuration.

  8. Click Done.

See the Configure API Access documentation for more details.

Create a database user for each of the projects in the MongoDB organization

Add database users for each project in the Organization. To create a new user using password authentication with the Atlas UI:

  1. On the left navigation, click Security > Database Access. Click Add New Database User.

  2. Choose Password for the Authentication Method.

  3. Enter a username and password. You can optionally Autogenerate the password. Note that the password and username must be the same for each project user you will create.

  4. Grant the user the Built-in Role AtlasAdmin. This is the only role granting the viewRole capability.

  5. Optionally, set a Temporary User duration. You can also opt to Restrict Access to specific clusters and federated databases.

  6. Click Add User.

See the Add MongoDB Users documentation for more details.

Configuring MongoDB (standalone)

To discover a standalone MongoDB cluster, Veza connects as a local user with the following permissions:

  • listDatabases on cluster

  • find on system.users collection in any database

  • viewRole on any collection in any database

You should deploy an Insight Point within the same network as the cluster for a secure connection.

Create local user and role

Connect to the standalone deployment and run the following command to create a role with the required permissions, and create a user with the role:

use admin
db.createRole(
   {
     role: "veza-extractor-role",
     privileges: [
       { resource: { cluster: true }, actions: [ "listDatabases" ] },
       { resource: { db: "", collection: "system.users" }, actions: [ "find" ] },
       { resource: { db: "", collection: "" }, actions: [ "viewRole" ] }
     ],
     roles: []
   }
)
db.createUser(
  {
    user: "veza-extractor-user",
    pwd: passwordPrompt(),  // or cleartext password
    roles: [
       { role: "veza-extractor-role", db: "admin" }
    ]
  }
)

After creating a user and assigning the required permissions, configure the integration on Veza by providing the username, password, and the URI of the MongoDB cluster.

Configuring MongoDB on the Veza Platform

After preparing the required credentials, log in to Veza as an administrator to add the integration:

  1. In Veza, open the Integrations page.

  2. Click Add New and pick MongoDB or MongoDB Atlas as the type of integration to add

  3. Enter the required information and Save the configuration

Standalone MongoDB

To create the MongoDB Atlas integration, you will need the database URI and the username and password created when Configuring MongoDB (standalone)

FieldNotes

Insight Point

Choose the Insight Point to use for the connection.

Name

Enter a friendly name to identify the unique MongoDB integration

Database URI

Cluster Connection String e.g. mongodb://mongodb0.example.com:28015

Username

Database user name for the integration

Password

Database user password for the integration

MongoDB Atlas

To create the MongoDB Atlas integration, you will need the API credentials, username, and password created when Configuring MongoDB Atlas

FieldNotes

Insight Point

Choose the Insight Point to use for the connection, or use the internal Veza Insight Point.

Public Key

Public API Key created for the Atlas Organization

Private Key

Private API Key created for the Atlas Organization

Username

Username of the database user(s) for project-level discovery

Password

Password of the database user(s) for project-level discovery

To discover more than one Organizations in a single Account, click Add Key Pair to add additional API credentials.

Notes and Supported Entities

Veza supports the following entity types and entity attributes:

MongoDB Atlas Account

Represents the overarching account associated with MongoDB Atlas, typically belonging to an organization or individual.

MongoDB Atlas User

Represents a user account within MongoDB Atlas, identified by a unique ID and associated with an email address.

  • ID

  • E-mail

MongoDB Atlas Organization

Represents an organization in MongoDB Atlas, identifiable by its unique ID and organizational name.

  • ID

  • Name

MongoDB Atlas Organization Role

Denotes the role or permissions assigned to a user within a MongoDB Atlas organization, governing their access and privileges.

MongoDB Atlas Project

Represents a project in MongoDB Atlas, identified by a unique ID and a descriptive name, used for grouping related resources.

  • ID

  • Name

MongoDB Atlas Team

Represents a team within a MongoDB Atlas project, identifiable by a unique ID and a name, used for collaborative project management.

  • ID

  • Name

MongoDB Database Deployment

Refers to a specific deployment of a MongoDB database, characterized by a unique ID, a name, type, and an indication of its operational status (paused or active).

  • ID

  • Name

  • Type

  • Paused

MongoDB Database User

Represents a user account with specific access rights within a MongoDB database, defined by a username and the associated database name.

  • Username

  • Database Name

When configuring a standalone MongoDB cluster, Veza discovers the following entities:

MongoDB Cluster

Represents an independent MongoDB database cluster, typically running on a single server or a set of servers, used for data storage and retrieval.

MongoDB User

Denotes a user account associated with a standalone MongoDB cluster. MongoDB User entities have a unique ID and includes information about the associated database and the username for authentication.

  • ID

  • Database

  • Username

MongoDB Database

Represents an individual database within a cluster, used for organizing and storing collections of data.

MongoDB Role

Denotes a role or set of permissions assigned to a user within a standalone MongoDB cluster, governing their access and privileges to perform operations on databases and collections. It is identified by a unique ID.

  • ID

PreviousLastPassNextMicrosoft AD

Last updated