Contact UsGet started

MongoDB user management

Written by
Updated at February 18, 2025

You can add and delete users as well as manage their individual settings and database access permissions.

Getting a list of users

  1. Go to the folder page and select Managed Service for MongoDB.
  2. Click the name of the cluster you need and select the  Users tab.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

To get a list of cluster users, run the following command:

yc managed-mongodb user list \
  --cluster-name <cluster_name>

You can request the cluster name with the list of clusters in the folder.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.list method and send the following request, e.g., via cURL:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users'

    You can request the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure the request was successful.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the UserService.List call and send the following request, e.g., via gRPCurl:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.List

    You can request the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure the request was successful.

Creating a user

  1. Go to the folder page and select Managed Service for MongoDB.

  2. Click the name of the cluster you need and select the  Users tab.

  3. Click Create user.

  4. Enter the DB user name and password.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

  5. Configure the roles for the user:

    1. Click Add database and select the database where you want to grant a role.
    2. Add roles using .

    You can grant multiple roles to a user in different databases.

  6. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

To create a user in a cluster:

  1. See the description of the create user CLI command:

    yc managed-mongodb user create --help

  2. Specify the user properties in the create command:

    yc managed-mongodb user create <username> \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=<DB_name>,role=<role>,role=<other_role>,... \
  --permission database=<other_DB_name>,role=<role>,...

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

    You can request the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file with an infrastructure plan.

    For more information about creating this file, see Creating clusters.

  2. Add the yandex_mdb_mongodb_user resource:

    resource "yandex_mdb_mongodb_user" "<username>" {
  cluster_id = <cluster_ID>
  name       = "<username>"
  password   = "<password>"
  permission {
    database_name = "<DB_name>"
    roles         = [ "<list_of_user_roles>" ]
  }
}

    Where database_name is the name of the DB you want to grant access to.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

  3. Make sure the settings are correct.

    1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.

    2. Run the command:

      terraform validate

      If there are errors in the configuration files, Terraform will point to them.

  4. Confirm updating the resources.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.create method and send the following request, e.g., via cURL:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users' \
  --data '{
            "userSpec": {
              "name": "<username>",
              "password": "<user_password>",
              "permissions": [
                {
                  "databaseName": "<DB_name>",
                  "roles": [
                   "<role_1>", "<role_2>", ..., "<role_N>"
                  ]
                }
              ]
            }
          }'

    Where userSpec lists the new DB user settings:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permissions settings:

      • databaseName: Name of the database the user gets access to.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

      For each database, add a separate element with permission settings to the permissions array.

    You can request the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure the request was successful.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the ClusterService.Create call and send the following request, e.g., via gRPCurl:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_spec": {
          "name": "<username>",
          "password": "<user_password>",
          "permissions": [
            {
              "database_name": "<DB_name>",
              "roles": [
                 "<role_1>", "<role_2>", ..., "<role_N>"
              ]   
            }
          ]
        }
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Create

    Where user_spec represents the new DB user settings:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database the user gets access to.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

      For each database, add a separate element with permission settings to the permissions array.

    You can request the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure the request was successful.

Changing users

  1. Go to the folder page and select Managed Service for MongoDB.

  2. Click the name of the cluster you need and select the  Users tab.

  3. To edit a user password, click in the row with the user you need and select Change password.

    Note

    The password must be between 8 and 128 characters.

  4. To change the user's roles:

    1. Click in the row with the user you need and select Configure.
    2. To add a role, click next to the appropriate database and select the role.
    3. To delete a role, click next to the role name.

  5. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

To change a user's password or list of roles:

  1. See the description of the CLI's update user command:

    yc managed-mongodb user update --help

  2. Specify the user properties in the update command:

    yc managed-mongodb user update <username> \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=<DB_name>,role=<role>,role=<other_role>,... \
  --permission database=<other_DB_name>,role=<role>,...

    Note

    The password must be between 8 and 128 characters.

To grant a user access to a database with a defined list of roles:

  1. View a description of the CLI command to grant users permissions:

    yc managed-mongodb user grant-permission --help

  2. Specify the properties of the user in the grant permissions command:

    yc managed-mongodb user grant-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name> \
  --role <list_of_roles_separated_by_commas>

To revoke user database access:

  1. View a description of the CLI command to revoke users' permissions:

    yc managed-mongodb user revoke-permission --help

  2. Specify the properties of the user in the revoke permissions command:

    yc managed-mongodb user revoke-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name>

    This command denies the user all access to the specified database.

You can get the cluster name with the list of clusters in the folder, the DB name, with the list of databases in the cluster, and the user's name, with the list of users in the cluster.

  1. Open the current Terraform configuration file with an infrastructure plan.

    For more information about creating this file, see Creating clusters.

  2. Find the yandex_mdb_mongodb_user resource.

  3. Update the password field value and field values under permission:

    resource "yandex_mdb_mongodb_user" "<username>" {
  cluster_id = <cluster_ID>
  name       = "<username>"
  password   = "<new_password>"
  permission {
    database_name = "<DB_name>"
    roles         = [ "<new_list_of_user_roles>" ]
  }
}

    Note

    The password must be between 8 and 128 characters.

  4. Make sure the settings are correct.

    1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.

    2. Run the command:

      terraform validate

      If there are errors in the configuration files, Terraform will point to them.

  5. Confirm updating the resources.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.update method and send the following request, e.g., using cURL:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
           "updateMask": "password,permissions.databaseName,permissions.roles",
           "password": "<user_password>",
           "permissions": [
             {
               "databaseName": "<DB_name>",
               "roles": [
                 "<role_1>", "<role_2>", ..., "<role_N>"
               ]
             }
           ]
         }'

    Where:

    • updateMask: List of parameters to update as a single string, separated by commas.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database the user gets access to.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  3. View the server response to make sure the request was successful.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the ClusterService.Update call and send the following request, e.g., via gRPCurl:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "password",
            "permissions.database_name",
            "permissions.roles"
          ]
        },
        "password": "<user_password>",
        "permissions": [
          {
            "database_name": "<DB_name>",
            "roles": [
              "<role_1>", "<role_2>", ..., "<role_N>"
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Update

    Where:

    • update_mask: List of parameters to update as a single string, separated by commas.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database the user gets access to.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  4. View the server response to make sure the request was successful.

Deleting a user

  1. Go to the folder page and select Managed Service for MongoDB.
  2. Click the name of the cluster you need and select the  Users tab.
  3. Click in the row with the user you need and select Delete.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

To remove a user, run:

yc managed-mongodb user delete <username> \
  --cluster-name <cluster_name>

You can request the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file with an infrastructure plan.

    For more information about creating this file, see Creating clusters.

  2. Delete the yandex_mdb_mongodb_user resource with the user's description.

  3. Make sure the settings are correct.

    1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.

    2. Run the command:

      terraform validate

      If there are errors in the configuration files, Terraform will point to them.

  4. Confirm updating the resources.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.delete method and send the following request, e.g., via cURL:

    curl \
  --request DELETE \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users/<username>'

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  3. View the server response to make sure the request was successful.

  1. Get an IAM token for API authentication and put it into the environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the ClusterService.Delete call and send the following request, e.g., via gRPCurl:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Delete

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  4. View the server response to make sure the request was successful.

Examples

Add a user with read-only permissions

To add a new user (user2) to an existing cluster with read-only access to the db1 database:

  1. Go to the folder page and select Managed Service for MongoDB.
  2. Click the cluster name and select the Users tab.
  3. Click Create user.
  4. Enter the user2 username and password (from 8 to 128 characters).
  5. Select the db1 database from the Add database drop-down list.
  6. Select the read role from the drop-down list next to the db1 database.
  7. Click Create.

Run the following command:

yc managed-mongodb user create user2 \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=db1,role=read

  1. Open the current Terraform configuration file with an infrastructure plan.

    For more information about how to create this file, see Creating clusters.

  2. Add the yandex_mdb_mongodb_user resource.

    resource "yandex_mdb_mongodb_user" "user2" {
  cluster_id = <cluster_ID>
  name       = "user2"
  password   = "<password>"
  permission {
    database_name = "db1"
    roles         = [ "read" ]
  }
}

  3. Make sure the settings are correct.

    1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.

    2. Run the command:

      terraform validate

      If there are errors in the configuration files, Terraform will point to them.

  4. Confirm updating the resources.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Modify user permissions

To grant read-only access to the db2 database to user1 of cluster1:

  1. Go to the folder page and select Managed Service for MongoDB.
  2. Click the cluster1 name and select the Users tab.
  3. Click next to user1 and select Configure.
  4. Click Add database and select db2 as your database.
  5. Click and select the read role from the drop-down list next to the db2 database.
  6. Click Save.

Run the following command:

yc managed-mongodb user grant-permission user1 \
  --cluster-name cluster1 \
  --database db2 \
  --role read

  1. Open the current Terraform configuration file with an infrastructure plan.

    For more information about how to create this file, see Creating clusters.

  2. Find the yandex_mdb_mongodb_user resource.

  3. Add a permission section:

    resource "yandex_mdb_mongodb_user" "user1" {
  cluster_id = <cluster_ID>
  name     = "user1"
  password = "<password>"
  permission {
    database_name = "db2"
    roles         = [ "read" ]
  }
}

    1. Make sure the settings are correct.

      1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.

      2. Run the command:

        terraform validate

        If there are errors in the configuration files, Terraform will point to them.

    2. Confirm updating the resources.

      1. Run the command to view planned changes:

        terraform plan

        If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

      2. If you are happy with the planned changes, apply them:

        1. Run the command:

          terraform apply

        2. Confirm the update of resources.

        3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Previous
Managing databases
Next
Managing shards