Set up Amazon DocumentDB
Configure authentication for the Amazon DocumentDB connector by creating a crawl user with appropriate permissions. Amazon DocumentDB is MongoDB-compatible, so you create the user with MongoDB-style commands. This guide walks you through creating a user with either a built-in role or a custom role, depending on your access requirements.
Before you begin
Amazon DocumentDB is cataloged only through Self-Deployed Runtime deployed in the same VPC as your cluster—Atlan Cloud can't connect to your cluster directly. Plan to install the runtime as part of connecting this source. For details, see Why is Amazon DocumentDB supported only through self-deployed runtime? in the FAQ.
SDR requires additional enablement and licensing. Contact your Atlan representative for details.
The crawl user you create must be able to list databases and collections, run collStats, and run find() to sample documents. The find permission is required to enable field extraction. Without it, only basic metadata is cataloged and column information isn't available. For more details, see What happens when read permission on collections is missing.
Create crawl user
To enable Atlan to crawl Amazon DocumentDB, create a user that Atlan can authenticate as. Amazon DocumentDB supports two authentication methods:
- Basic authentication (SCRAM-SHA-1): A username and password stored in DocumentDB. Use the steps below to create the user and assign a role.
- IAM authentication (MONGODB-AWS): AWS Identity and Access Management credentials. With IAM authentication, you map an IAM user or role to a DocumentDB user and grant the same database roles described below. For details on enabling and mapping IAM users, see the Amazon DocumentDB IAM authentication documentation.
- Built-in role
- Custom role
Use a built-in role to grant read-only access to all databases in your DocumentDB cluster. For more information, see the Amazon DocumentDB built-in roles documentation.
- Connect to your DocumentDB cluster using the mongo shell or a MongoDB-compatible client.
- Select the authentication database (usually
admin):use admin - Create a user with read-only access:
db.createUser({user: "atlan_user",pwd: "your_secure_password",roles: [{ role: "readAnyDatabase", db: "admin" }]})
- Replace
atlan_userwith your desired username andyour_secure_passwordwith a secure password. - The
readAnyDatabasebuilt-in role includes the privileges the connector needs across all databases, including listing databases and collections, runningcollStats, and runningfind()to sample documents.
- Replace
Create a custom role to restrict access to specific databases and collections. For more information, see the Amazon DocumentDB roles documentation.
- Connect to your DocumentDB cluster using the mongo shell or a MongoDB-compatible client.
- Select the authentication database (usually
admin):use admin - Create a custom role with the following privileges. For details on the required privileges, see Which privileges do custom DocumentDB roles require? in the FAQ.
db.createRole({role: "atlan_integration",privileges: [{resource: { cluster: true },actions: ["listDatabases"]},{resource: { db: "", collection: "" },actions: ["listCollections"]},{resource: { db: "", collection: "" },actions: ["collStats"]},{resource: { db: "", collection: "" },actions: ["find"]}],roles: []})
- Replace the empty strings in the
resourcefields with specific database and collection names if you want to restrict access. Leave them empty to grant access to all databases and collections.
- Replace the empty strings in the
- Create a user and assign the custom role:
db.createUser({user: "atlan_user",pwd: "your_secure_password",roles: [{ role: "atlan_integration", db: "admin" }]})
- Replace
atlan_userwith your desired username andyour_secure_passwordwith a secure password.
- Replace
Next steps
Now that you've set up the Amazon DocumentDB connector and created a crawl user, you're ready to:
- Crawl Amazon DocumentDB: Configure and run metadata extraction from your DocumentDB cluster.