Manage Database Users

You can create and delete Atlas database users through the Atlas Open Service Broker.


Before managing database users, you must deploy a replica set.

Add a Database User

To create a database user, you first define a ServiceBinding resource in Kubernetes. Then, the Atlas Open Service Broker creates a corresponding database user in Atlas.


Create the service binding that corresponds to the Atlas user.

  1. Copy the following resource definition example.

    This is a YAML file that you can modify to meet your desired configuration.

    kind: ServiceBinding
      name: <USER_NAME>
      namespace: <NAMESPACE>
        name: <CLUSTER_NAME>
  2. Open your preferred text editor and paste the resource definition into a new text file.


Configure the required settings.

The highlighted settings are required to create a database user:

Key Description Example The name of the service binding resource in Kubernetes. atlas-user-1
metadata.namespace The Kubernetes namespace where the service binding resource is created. atlas The name of the ServiceInstance resource in Kubernetes that corresponds to your Atlas cluster. my-atlas-cluster

When you create a database user, the Atlas Open Service Broker randomly generates an Atlas username and password for the user. The Service Catalog automatically stores the users’s Atlas username, password, and connection URI in a Kubernetes secret.

If you do not specify additional settings, the database user is created with the following default attributes:

  • SCRAM-SHA authentication on the admin database
  • readWriteAnyDatabase permissions on the admin database

Add any additional settings for the user.

You can configure additional settings for the user under the spec.parameters.user key. These settings correspond to the request body parameters of the Create a Database User Public API method.


The following API parameters are overwritten by the required Atlas Open Service Broker settings from the previous step and should not be specified:

  • databaseName
  • groupId
  • password
  • username


This example resource definition creates:

  1. a Kubernetes resource called atlas-user-1 in the atlas namespace and
  2. an Atlas database user with the following configuration:
    • SCRAM-SHA authentication on the admin database with randomly generated username and password
    • readWrite permissions to the listingsAndReviews collection on the sample_airbnb database
    • dbAdmin permissions to the sample_geospatial database
kind: ServiceBinding
  name: atlas-user-1
  namespace: atlas
    name: my-atlas-cluster
      - databaseName: sample_airbnb
        collectionName: listingsAndReviews
        roleName: readWrite
      - databaseName: sample_geospatial
        roleName: dbAdmin

Save this file as atlas-user-1.yaml.


Create the user.

Invoke the following Kubernetes command to create your database user:

kubectl apply -f atlas-user-1.yaml

View the status of the new user.

To view the status of the new user within the Kubernetes cluster, pass the from replica-set.yaml into the following command:

svcat describe instance <METADATA.NAME> -n <METADATA.NAMESPACE>

The status of the user appears under Bindings.


      NAME        STATUS
  atlas-user-1     Ready

To see a detailed view of the user, pass the from atlas-user-1.yaml into the following command:

svcat describe binding <METADATA.NAME> -n <METADATA.NAMESPACE>

The command returns the details of the user.


Name:        atlas-user-1
Namespace:   atlas
Status:      Ready - Injected bind result @ 2019-08-24 20:57:43 +0000 UTC
Secret:      atlas-user-1
Instance:    my-replica-set

    - collectionName: listingsAndReviews
      databaseName: sample_airbnb
      roleName: readWrite
    - databaseName: sample_geospatial
      roleName: dbAdmin

Secret Data:
  password   44 bytes
  uri        58 bytes
  username   36 bytes

Retrieve the Atlas connection details of the new user.

The connection details for the user are stored in a secret that has the same name and namespace as the ServiceBinding resource. The secret is base64-encoded by Kubernetes and contains the Atlas username, password, and URI of the user.

  1. Pass and metadata.namespace from atlas-user-1.yaml into the following command to retrieve the Kubernetes secret for the user:

    kubectl get secret <METADATA.NAME> -n <METADATA.NAMESPACE> -o yaml

    The command returns the base64-encoded Atlas password, URI, and username of the user:


    apiVersion: v1
      password: MlFhTnB4NzNoaEYwZWFKFMCjRUlNU2Iwbk5OMnJPT0JGZnZOeldKMS16Zz0=
      uri: bW9uZ29kYitzcnY6Ly8wMTY5YjA5My1jNTEyLTExZTktOGQyMC1kbjZyNy5tb25nb2RiLXFhLm5ldA==
      username: NTJjMzVlNjctYzdhMy0xMWKR7ThkMjAtMDI0MmFjMTEwMDA3
    kind: Secret
      creationTimestamp: "2019-08-26T01:46:30Z"
      name: atlas-user-1
      namespace: atlas
      - apiVersion:
        blockOwnerDeletion: true
        controller: true
        kind: ServiceBinding
        name: atlas-user-1
        uid: 52c35ea1-c7a3-11e9-8d20-0242ac113457
      resourceVersion: "79692"
      selfLink: /api/v1/namespaces/atlas/secrets/atlas-user-1
      uid: 14829566-4859-4b47-97f6-d0a2f7425906
    type: Opaque
  2. Pass data.username from the secret into the following command to decode the user’s Atlas username:

    echo '<DATA.USERNAME>' | base64 --decode

    The command returns the decoded Atlas username:



    Repeat the command with data.password and data.uri to decode the user’s Atlas password and URI.

    echo '<DATA.PASSWORD>' | base64 --decode
    echo '<DATA.URI>' | base64 --decode

Connecting to your Atlas cluster

To connect to your deployment, pass the decoded Atlas URI and username into the following command:

mongo <DECODED_URI>  --username <DECODED_USERNAME>

When you are prompted for the password, enter the user’s decoded Atlas password.

Delete a Database User

To delete a database user, pass the from the ServiceBinding resource to one of the following commands:

kubectl delete servicebindings <METADATA.NAME> -n <METADATA.NAMESPACE>

To confirm that the user has been deleted, pass the from the cluster resource into the following command:

svcat describe instance <METADATA.NAME> -n <METADATA.NAMESPACE>

The command returns No bindings defined under Bindings.