Managing Amazon DocumentDB Users

    Note

    All new users created before March 26, 2020 have been granted the dbAdminAnyDatabase, readWriteAnyDatabase, and clusterAdmin roles. It is recommended that you reevaluate all users and modify the roles as necessary to enforce least privilege for all users in your clusters.

    For more information, see Restricting Database Access Using Role-Based Access Control (Built-In Roles).

    A newly created Amazon DocumentDB cluster has two users: the master user and the serviceadmin user.

    The master user is a single, privileged user that can perform administrative tasks and create additional users with roles. When you connect to an Amazon DocumentDB cluster for the first time, you must authenticate using the master user name and password. The master user receives these administrative permissions for an Amazon DocumentDB cluster when that cluster is created, and is granted the role of root.

    The serviceadmin user is created implicitly when the cluster is created. Every Amazon DocumentDB cluster has a serviceadmin user that provides AWS the ability to manage your cluster. You cannot log in as, drop, rename, change the password, or change the permissions for . Any attempt to do so results in an error.

    The master and serviceadmin users for an Amazon DocumentDB cluster cannot be deleted and the role of root for the master user cannot be revoked.

    If you forget your master user password, you can reset it using the AWS Management Console or the AWS CLI.

    After you connect as the master user (or any user that has the role createUser), you can create a new user, as shown below.

    To view user details, you can use the show users command as follows. You can additionally remove users with the dropUser command. For more information, see .

    In the example above, the new user sample-user-1 is attributed to the admin database. This is always the case for a new user. Amazon DocumentDB does not have the concept of an authenticationDatabase and thus all authentication is performed in the context of the database.

    When creating users, if you omit the db field when specifying the role, Amazon DocumentDB will implicitly attribute the role to the database in which the connection is being issued against. For example, if your connection is issued against the database sample-database and you run the following command, the user sample-user-2 will be created in the admin database and will have readWrite permissions to the database sample-database.

    To switch the context of your database, you can use the following command.

    To learn more about Role Based Access Control and enforcing least privilege amongst the users in your cluster, see Restricting Database Access Using Role-Based Access Control (Built-In Roles).

    With AWS Secrets Manager, you can replace hardcoded credentials in your code (including passwords) with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure that the secret can’t be compromised by someone examining your code, because the secret simply isn’t there. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a schedule that you specify. This enables you to replace long-term secrets with short-term ones, which helps to significantly reduce the risk of compromise.

    Using Secrets Manager, you can automatically rotate your Amazon DocumentDB passwords (that is, secrets) using an AWS Lambda function that Secrets Manager provides.

    For more information about AWS Secrets Manager and native integration with Amazon DocumentDB, see the following: