Create One Database User in One Project
Creates one database user in the specified project. This MongoDB Cloud supports a maximum of 100 database users per project. If you require more than 100 database users on a project, contact Support. To use this resource, the requesting Service Account or API Key must have the Project Owner role, the Project Charts Admin role, Project Stream Processing Owner role, or the Project Database Access Admin role.
Path parameters
-
Unique 24-hexadecimal digit string that identifies your project. Use the /groups endpoint to retrieve all projects to which the authenticated user has access.
NOTE: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.
Format should match the following pattern:
^([a-f0-9]{24})$.
Query parameters
-
Flag that indicates whether Application wraps the response in an
envelopeJSON object. Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query. Endpoints that return a list of results use the results object as an envelope. Application adds the status parameter to the response body.Default value is
false. -
Flag that indicates whether the response body should be in the prettyprint format.
Default value is
false.Prettyprint
Body
Required
Creates one database user in the specified project.
-
Human-readable label that indicates whether the new database user authenticates with the Amazon Web Services (AWS) Identity and Access Management (IAM) credentials associated with the user or the user's role.
Values are
NONE,USER, orROLE. Default value isNONE. -
The database against which the database user authenticates. Database users must provide both a username and authentication database to log into MongoDB. If the user authenticates with AWS IAM, x.509, LDAP, or OIDC Workload this value should be
$external. If the user authenticates with SCRAM-SHA or OIDC Workforce, this value should beadmin.Values are
adminor$external. Default value isadmin. -
Date and time when MongoDB Cloud deletes the user. This parameter expresses its value in the ISO 8601 timestamp format in UTC and can include the time zone designation. You must specify a future date that falls within one week of making the Application Programming Interface (API) request.
-
Description of this database user.
Maximum length is
100. -
Unique 24-hexadecimal digit string that identifies the project.
-
List that contains the key-value pairs for tagging and categorizing the MongoDB database user. The labels that you define do not appear in the console.
Human-readable labels applied to this MongoDB Cloud component.
-
Part of the Lightweight Directory Access Protocol (LDAP) record that the database uses to authenticate this database user on the LDAP host.
Values are
NONE,GROUP, orUSER. Default value isNONE. -
Human-readable label that indicates whether the new database user or group authenticates with OIDC federated authentication. To create a federated authentication user, specify the value of USER in this field. To create a federated authentication group, specify the value of IDP_GROUP in this field.
Values are
NONE,IDP_GROUP, orUSER. Default value isNONE. -
Alphanumeric string that authenticates this database user against the database specified in
databaseName. To authenticate with SCRAM-SHA, you must specify this parameter. This parameter doesn't appear in this response.Minimum length is
8.SCRAM-SHA -
List that provides the pairings of one role with one applicable database.
Range of resources available to this database user.
-
List that contains clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Instances that this database user can access. If omitted, MongoDB Cloud grants the database user access to all the clusters, MongoDB Atlas Data Lakes, and MongoDB Atlas Streams Instances in the project.
Range of resources available to this database user.
-
Human-readable label that represents the user that authenticates to MongoDB. The format of this label depends on the method of authentication:
Authentication Method Parameter Needed Parameter Value username Format AWS IAM awsIAMType ROLE ARN AWS IAM awsIAMType USER ARN x.509 x509Type CUSTOMER RFC 2253 Distinguished Name x.509 x509Type MANAGED RFC 2253 Distinguished Name LDAP ldapAuthType USER RFC 2253 Distinguished Name LDAP ldapAuthType GROUP RFC 2253 Distinguished Name OIDC Workforce oidcAuthType IDP_GROUP Atlas OIDC IdP ID (found in federation settings), followed by a '/', followed by the IdP group name OIDC Workload oidcAuthType USER Atlas OIDC IdP ID (found in federation settings), followed by a '/', followed by the IdP user name SCRAM-SHA awsIAMType, x509Type, ldapAuthType, oidcAuthType NONE Alphanumeric string Maximum length is
1024. -
X.509 method that MongoDB Cloud uses to authenticate the database user.
- For application-managed X.509, specify
MANAGED. - For self-managed X.509, specify
CUSTOMER.
Users created with the
CUSTOMERmethod require a Common Name (CN) in the username parameter. You must create externally authenticated users on the$externaldatabase.Values are
NONE,CUSTOMER, orMANAGED. Default value isNONE. - For application-managed X.509, specify
atlas api createDatabaseUser --helpimport (
"os"
"context"
"log"
sdk "go.mongodb.org/atlas-sdk/v20250312001/admin"
)
func main() {
ctx := context.Background()
clientID := os.Getenv("MONGODB_ATLAS_CLIENT_ID")
clientSecret := os.Getenv("MONGODB_ATLAS_CLIENT_SECRET")
client, err := sdk.NewClient(
sdk.UseOAuthAuth(clientID, clientSecret),
sdk.UseBaseURL(url))
if err != nil {
log.Fatalf("Error: %v", err)
}
params = &sdk.CreateDatabaseUserApiParams{}
sdkResp, httpResp, err := client.DatabaseUsersApi.
CreateDatabaseUserWithParams(ctx, params).
Execute()
}curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
--header "Accept: application/vnd.atlas.2025-03-12+json" \
--header "Content-Type: application/json" \
-X POST "https://cloud.mongodb.com/api/atlas/v2/groups/{groupId}/databaseUsers" \
-d '{ <Payload> }'curl --user "${PUBLIC_KEY}:${PRIVATE_KEY}" \
--digest \
--header "Accept: application/vnd.atlas.2025-03-12+json" \
--header "Content-Type: application/json" \
-X POST "https://cloud.mongodb.com/api/atlas/v2/groups/{groupId}/databaseUsers" \
-d '{ <Payload> }'{
"roles": [
{
"roleName": "readWrite",
"databaseName": "sales"
},
{
"roleName": "read",
"databaseName": "marketing"
}
],
"scopes": [
{
"name": "myCluster",
"type": "CLUSTER"
}
],
"groupId": "32b6e34b3d91647abb20e7b8",
"username": "arn:aws:iam::358363220050:user/mongodb-aws-iam-auth-test-user",
"awsIAMType": "USER",
"databaseName": "$external"
}{
"roles": [
{
"roleName": "readWrite",
"databaseName": "sales"
},
{
"roleName": "read",
"databaseName": "marketing"
}
],
"scopes": [
{
"name": "myCluster",
"type": "CLUSTER"
}
],
"groupId": "32b6e34b3d91647abb20e7b8",
"username": "CN=marketing,OU=groups,DC=example,DC=com",
"databaseName": "admin",
"ldapAuthType": "GROUP"
}{
"roles": [
{
"roleName": "readWrite",
"databaseName": "sales"
},
{
"roleName": "read",
"databaseName": "marketing"
}
],
"scopes": [
{
"name": "myCluster",
"type": "CLUSTER"
}
],
"groupId": "32b6e34b3d91647abb20e7b8",
"username": "5dd7496c7a3e5a648454341c/sales",
"databaseName": "admin",
"oidcAuthType": "IDP_GROUP"
}{
"roles": [
{
"roleName": "readWrite",
"databaseName": "sales"
},
{
"roleName": "read",
"databaseName": "marketing"
}
],
"scopes": [
{
"name": "myCluster",
"type": "CLUSTER"
}
],
"groupId": "32b6e34b3d91647abb20e7b8",
"username": "5dd7496c7a3e5a648454341c/sales",
"databaseName": "$external",
"oidcAuthType": "USER"
}{
"roles": [
{
"roleName": "readWrite",
"databaseName": "sales"
},
{
"roleName": "read",
"databaseName": "marketing"
}
],
"scopes": [
{
"name": "myCluster",
"type": "CLUSTER"
}
],
"groupId": "32b6e34b3d91647abb20e7b8",
"password": "changeme123",
"username": "david",
"databaseName": "admin"
}{
"roles": [
{
"roleName": "readWrite",
"databaseName": "sales"
},
{
"roleName": "read",
"databaseName": "marketing"
}
],
"scopes": [
{
"name": "myCluster",
"type": "CLUSTER"
}
],
"groupId": "32b6e34b3d91647abb20e7b8",
"username": "CN=david@example.com,OU=users,DC=example,DC=com",
"x509Type": "CUSTOMER",
"databaseName": "$external"
}{
"awsIAMType": "NONE",
"databaseName": "admin",
"deleteAfterDate": "2025-05-04T09:42:00Z",
"description": "string",
"labels": [
{
"key": "string",
"value": "string"
}
],
"ldapAuthType": "NONE",
"links": [
{
"href": "https://cloud.mongodb.com/api/atlas",
"rel": "self"
}
],
"oidcAuthType": "NONE",
"roles": [
{
"collectionName": "string",
"databaseName": "string",
"roleName": "atlasAdmin"
}
],
"scopes": [
{
"name": "string",
"type": "CLUSTER"
}
],
"username": "string",
"x509Type": "NONE"
}{
"error": 400,
"detail": "(This is just an example, the exception may not be related to this endpoint) No provider AWS exists.",
"reason": "Bad Request",
"errorCode": "VALIDATION_ERROR"
}{
"error": 401,
"detail": "(This is just an example, the exception may not be related to this endpoint)",
"reason": "Unauthorized",
"errorCode": "NOT_ORG_GROUP_CREATOR"
}{
"error": 403,
"detail": "(This is just an example, the exception may not be related to this endpoint)",
"reason": "Forbidden",
"errorCode": "CANNOT_CHANGE_GROUP_NAME"
}{
"error": 404,
"detail": "(This is just an example, the exception may not be related to this endpoint) Cannot find resource AWS",
"reason": "Not Found",
"errorCode": "RESOURCE_NOT_FOUND"
}{
"error": 409,
"detail": "(This is just an example, the exception may not be related to this endpoint) Cannot delete organization link while there is active migration in following project ids: 60c4fd418ebe251047c50554",
"reason": "Conflict",
"errorCode": "CANNOT_DELETE_ORG_ACTIVE_LIVE_MIGRATION_ATLAS_ORG_LINK"
}{
"error": 500,
"detail": "(This is just an example, the exception may not be related to this endpoint)",
"reason": "Internal Server Error",
"errorCode": "UNEXPECTED_ERROR"
}