Skip to content

doc: DOCSP-54251 -- Document how to move from or to Service Accounts authentication #3753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: CLOUDP-334161-service-accounts-dev
Choose a base branch
from
+52 −0
Open

doc: DOCSP-54251 -- Document how to move from or to Service Accounts authentication #3753

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions docs/guides/migrate-to-service-accounts-authentication-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
page_title: "Migration Guide: Service Accounts Authentication"
---

# Migration Guide: Service Accounts Authentication

This guide helps you migrate from Programmatic Access Key (PAK) authentication to Service
Accounts (SA) authentication and viceversa without impacting your deployment.
Comment on lines +7 to +8
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this guide just to demonstrate how to migrate from PAK to SA? Should we recommend/suggest migrating from SA to PAK? Also vice versa is a latin phrase that doesn't translate well.

Suggested change
This guide helps you migrate from Programmatic Access Key (PAK) authentication to Service
Accounts (SA) authentication and viceversa without impacting your deployment.
This guide helps to you migrate from Programmatic Access Key (PAK) authentication to Service
Accounts (SA) authentication without impacting your deployment.


**Note:** For more information on SA, see [Service Accounts Overview](https://www.mongodb.com/docs/atlas/api/service-accounts-overview/)
in the MongoDB documentation.

Copy link
Contributor

@kanchana-mongodb kanchana-mongodb Oct 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a Prerequisites or Before You Begin section?

## Procedure

1. Change your provider declaration variables.

The following example declares PAK authentication:

```terraform
provider "mongodbatlas" {
public_key = var.mongodbatlas_public_key
private_key = var.mongodbatlas_private_key
```

To change to SA, declare the variables as in the following example:

```terraform
provider "mongodbatlas" {
client_id = var.mongodbatlas_client_id
client_secret = var.mongodbatlas_client_secret
}
```
Comment on lines +17 to +32
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To improve clarity, suggest:

Suggested change
The following example declares PAK authentication:
```terraform
provider "mongodbatlas" {
public_key = var.mongodbatlas_public_key
private_key = var.mongodbatlas_private_key
```
To change to SA, declare the variables as in the following example:
```terraform
provider "mongodbatlas" {
client_id = var.mongodbatlas_client_id
client_secret = var.mongodbatlas_client_secret
}
```
For example, consider the following sample PAK authentication variables:
```terraform
provider "mongodbatlas" {
public_key = var.mongodbatlas_public_key
private_key = var.mongodbatlas_private_key
```
To change to SA, modify the variables to use your SA client_id and client_secret:
```terraform
provider "mongodbatlas" {
client_id = var.mongodbatlas_client_id
client_secret = var.mongodbatlas_client_secret
}
```


2. Provide a valid JSON Web Token (JWT):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not 100% clear on this. When I read it seems like we're saying
Step 1. Use client_id and client_secret
Step 2. Add the access_token attribute

which should not be the case. Instead it's "you either use client_id+client_secret or access_token"


```terraform
provider "mongodbatlas" {
access_token = var.mongodbatlas_access_token
[is_mongodbgov_cloud = true // optional]
}
```

The JWT token is only valid during its set duration time. See [Generate Service Account Token](https://www.mongodb.com/docs/atlas/api/service-accounts/generate-oauth2-token/#std-label-generate-oauth2-token-atlas) for more details on creating an SA token.

**IMPORTANT:** Currently, the MongoDB Terraform provider does not support additional Token OAuth features.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: what do we mean with this?


**NOTE:** You can not use ``mongodbatlas_event_trigger`` with Service Accounts as the authentication method.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a why? @lantoli

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**NOTE:** You can not use ``mongodbatlas_event_trigger`` with Service Accounts as the authentication method.
**NOTE:** You can't use ``mongodbatlas_event_trigger`` with Service Accounts as the authentication method.