Manage Programmatic Access to an Organization
On this page
- OAuth 2.0 authentication for programmatic access to Atlas is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Atlas Administration API.
Use the following procedures to manage programmatic access to an organization. To learn more, see Grant Programmatic Access to an Organization.
Required Access
To perform any of the following actions, you must have
Organization Owner access to Atlas.
View Programmatic Access to an Organization
You can view the details of all API keys or service accounts that have access to your organization.
You can view a list of API keys, the details of an API key, or the access list for an API key in an organization using the Atlas CLI.
View API Keys
To list all API keys in an organization using the Atlas CLI, run the following command:
atlas organizations apiKeys list [options]
To return the details for an API key in an organization using the Atlas CLI, run the following command:
atlas organizations apiKeys describe <ID> [options]
To learn more about the syntax and parameters for the previous commands, see the Atlas CLI documentation for atlas organizations apiKeys list and atlas organizations apiKeys describe.
View API Access List Entries for the API Key
To list IP access list entries for your API key using the Atlas CLI, run the following command:
atlas organizations apiKeys accessLists list <apiKeyID> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas organizations apiKeys accessLists list.
To view the details of an API key in an organization using the Atlas UI:
In Atlas, go to the Organization Access Manager page.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Do one of the following steps:
Select Organization Access from the Access Manager menu in the navigation bar.
Click Access Manager in the sidebar.
The Organization Access Manager page displays.
View the Access List.
Click to the right of the API Key.
Click View Details.
The <Public Key> API Key Details modal displays:
The obfuscated Private Key
The date the Key was last used
The date the Key was created
The IP addresses from which the Key can access the API
The projects to which the Key has been granted access
In Atlas, go to the Organization Access Manager page.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Do one of the following steps:
Select Organization Access from the Access Manager menu in the navigation bar.
Click Access Manager in the sidebar.
The Organization Access Manager page displays.
Click Service Accounts.
All the service accounts with access to your organization are listed.
Click the name of a service account to view its details, including:
The obfuscated client secret for the service account
The date the client secret was last used
The date the client secret was created
The IP addresses from which the service account can access the API
The roles the service account has been assigned
You can use the Atlas Administration API to list the names and details of the service accounts that have access to your organization.
Update Programmatic Access to an Organization
You can change the roles or access list for an API key in an organization using the Atlas CLI.
Change an API Key's Roles
To update an API key in an organization using the Atlas CLI, run the following command:
atlas organizations apiKeys assign <apiKeyId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas organizations apiKeys assign.
Add an API Access List Entry for the API Key
To create an IP access list entry for your API key using the Atlas CLI, run the following command:
atlas organizations apiKeys accessLists create [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas organizations apiKeys accessLists create.
Delete an API Access List Entry for the API Key
To delete an IP access list entry for your API key using the Atlas CLI, run the following command:
atlas organizations apiKeys accessLists delete <entry> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas organizations apiKeys accessLists delete.
You can change the roles, description, or access list for an API Key in an organization using the Atlas UI.
In Atlas, go to the Organization Access Manager page.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Do one of the following steps:
Select Organization Access from the Access Manager menu in the navigation bar.
Click Access Manager in the sidebar.
The Organization Access Manager page displays.
Edit the API Key Information.
On the Add API Key page:
Modify the Description.
In the Organization Permissions menu, select the new role or roles for the API key.
Edit the API Access List.
To add an IP address or CIDR block from which you want Atlas to accept API requests for this API Key, click Add Access list Entry and type an IP address.
You can also click Use Current IP Address if the host you are using to access Atlas also will make API requests using this API Key.
To remove an IP address from the access list, click to the right of the IP address.
Click Save.
You can change the roles, name, description, or access list for a service account in an organization using the Atlas UI. You can also generate a new client secret.
In Atlas, go to the Organization Access Manager page.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Do one of the following steps:
Select Organization Access from the Access Manager menu in the navigation bar.
Click Access Manager in the sidebar.
The Organization Access Manager page displays.
Edit the Organization Permissions.
Click Edit Permissions.
From the Organization Permissions menu, select the new role or roles for the service account.
Click Save and next.
Important
The service account credentials remain active until they expire or are revoked.
Edit the API Access List.
To add an IP address or CIDR block from which you want Atlas to accept API requests for this service account, click Add Access List Entry and type an IP address.
You can also click Use Current IP Address if the host you are using to access Atlas also will make API requests using this service account.
To remove an IP address from the access list, click to the right of the IP address.
Click Save.
You can use the Atlas Administration API to:
Revoke Programmatic Access to an Organization
To delete an API key from an organization using the Atlas CLI, run the following command:
atlas organizations apiKeys delete <ID> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas organizations apiKeys delete.
To delete an access list entry for an API key in an organization, see Update Programmatic Access to an Organization.
In Atlas, go to the Organization Access Manager page.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Do one of the following steps:
Select Organization Access from the Access Manager menu in the navigation bar.
Click Access Manager in the sidebar.
The Organization Access Manager page displays.
In Atlas, go to the Organization Access Manager page.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Do one of the following steps:
Select Organization Access from the Access Manager menu in the navigation bar.
Click Access Manager in the sidebar.
The Organization Access Manager page displays.
You can use the Atlas Administration API to: