doc: Migration guide to move from API Keys (PAKs) to Service Accounts #4047
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filipcirtog
changed the base branch from
master
to
CLOUDP-352932-service-accounts-dev
filipcirtog
changed the title
manupedrozo
reviewed
Jan 8, 2026
Collaborator
manupedrozo
left a comment
manupedrozo
left a comment
There was a problem hiding this comment.
Good first draft!
Extra comments:
- Did you follow the guide yourself to verify it works as expected?
- It would be great to have supporting examples (for both org and project resources) like: migrate_atlas_user_and_atlas_users
- Note the v1/v2/v3 structure that matches this guide
- Then link to the examples guides from the tf docs
| page_title: "Migration Guide: Programmatic API Keys (PAKs) to Service Accounts (SAs)" | ||
| --- | ||
|
|
||
| **Note:** Migration to Service Accounts is **not required**. If you are currently using `mongodbatlas_api_key`, `mongodbatlas_api_key_project_assignment`, and `mongodbatlas_access_list_api_key` resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security, flexibility, or best practices, but existing PAK configurations will continue to work and are supported. |
Collaborator
There was a problem hiding this comment.
Not sure if flexibility is a pro of SAs vs PAKs.
Suggested change
| **Note:** Migration to Service Accounts is **not required**. If you are currently using `mongodbatlas_api_key`, `mongodbatlas_api_key_project_assignment`, and `mongodbatlas_access_list_api_key` resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security, flexibility, or best practices, but existing PAK configurations will continue to work and are supported. | |
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and are supported. |
|
|
||
| # Migration Guide: Programmatic API Keys (PAKs) to Service Accounts (SAs) | ||
|
|
||
| The goal of this guide is to help users transition from Programmatic API Keys (PAKs) to Service Accounts (SAs) in MongoDB Atlas. Service Accounts provide a more secure and flexible authentication method that eliminates the need to manage API key secrets in Terraform state. |
Collaborator
There was a problem hiding this comment.
"Service Accounts provide a more secure and flexible authentication method" - Not sure how SAs are more flexible
"Service Accounts provide a more secure and flexible authentication method that eliminates the need to manage API key secrets in Terraform state" - But we now have to manage SAs instead of PAKs, so wouldn't include this as an upside.
Take a look at the docs for the advantage of SAs over PAKs: Service accounts are the recommended method to manage authentication to the Atlas Administration API. Service accounts provide improved security over API keys by using the industry standard OAuth 2.0 protocol with the Client Credentials flow.
|
|
||
| The following table shows the mapping between PAK resources and their Service Account equivalents: | ||
|
|
||
| | PAK Resource | Service Account Resource | Notes | |
Collaborator
There was a problem hiding this comment.
I think we should:
- Include project level resources here as well.
- Introduce 2 guides (2 sections in this same guide), 1 for org level and 1 for project level. Similar to Org Membership / Team Membership / etc in https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/guides/atlas-user-management
- We need to be clear that the project resources should only be used if the user does not have org level permissions to manage service accounts. Otherwise, org level resources are the recommended approach.
|
|
||
| | PAK Resource | Service Account Resource | Notes | | ||
| |--------------|-------------------------|-------| | ||
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | Organization-level key/account | |
Collaborator
There was a problem hiding this comment.
Suggested change
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | Organization-level key/account | | |
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | API key / Service Account | |
| resource "mongodbatlas_api_key_project_assignment" "example" { | ||
| project_id = var.project_id | ||
| api_key_id = mongodbatlas_api_key.example.api_key_id | ||
| roles = ["GROUP_OWNER", "GROUP_DATA_ACCESS_ADMIN"] |
Collaborator
There was a problem hiding this comment.
Just for clarity, wouldn't mix GROUP_OWNER with other roles since owner already contains other roles. Maybe go with ["GROUP_READ_ONLY", "GROUP_DATA_ACCESS_READ_ONLY"].
| resource "mongodbatlas_access_list_api_key" "example" { | ||
| org_id = var.org_id | ||
| api_key_id = mongodbatlas_api_key.example.api_key_id | ||
| cidr_block = "192.168.1.0/24" |
Collaborator
There was a problem hiding this comment.
Matching the alternative to avoid confusion (also in other occurrences)
Suggested change
| cidr_block = "192.168.1.0/24" | |
| cidr_block = "192.168.1.100/32" |
|
|
||
| ## Stage 2: Intermediate State (Both PAK and SA Resources) | ||
|
|
||
| In this stage, you'll add Service Account resources alongside your existing PAK resources. This allows both authentication methods to work simultaneously, enabling you to test Service Accounts before removing PAKs. |
Collaborator
There was a problem hiding this comment.
Suggested change
| In this stage, you'll add Service Account resources alongside your existing PAK resources. This allows both authentication methods to work simultaneously, enabling you to test Service Accounts before removing PAKs. | |
| In this stage, you will add Service Account resources alongside your existing PAK resources. This allows both authentication methods to work simultaneously, enabling you to test Service Accounts before removing PAKs. |
|
|
||
| 4. Run `terraform plan` to review the changes. | ||
| 5. Run `terraform apply` to create the Service Account resources. | ||
| 6. **Important**: Save the Service Account secret from the output. When a Service Account is created, a secret is automatically generated. The secret value is only returned once at creation time. |
Collaborator
There was a problem hiding this comment.
- The output block should be added together with the service account before running
applyin step 4 - I think we can remove the datasources
manupedrozo
reviewed
Jan 9, 2026
Collaborator
manupedrozo
left a comment
manupedrozo
left a comment
There was a problem hiding this comment.
Thanks for the iteration, I think its in much better shape now!
Left more comments - Its ready to share with the docs team as well.
Comment on lines
+7
to
+12
| ## Overview | ||
|
|
||
| Service Accounts are the recommended method to manage authentication to the Atlas Administration API. Service Accounts provide improved security over API keys by using the industry standard OAuth 2.0 protocol with the Client Credentials flow. This guide covers migrating from Programmatic API Keys (PAKs) to Service Accounts (SAs) in MongoDB Atlas. | ||
|
|
||
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and are supported. | ||
|
|
Collaborator
There was a problem hiding this comment.
Suggesting the following. Would like to get docs team input here:
Suggested change
| ## Overview | |
| Service Accounts are the recommended method to manage authentication to the Atlas Administration API. Service Accounts provide improved security over API keys by using the industry standard OAuth 2.0 protocol with the Client Credentials flow. This guide covers migrating from Programmatic API Keys (PAKs) to Service Accounts (SAs) in MongoDB Atlas. | |
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and are supported. | |
| ## Overview | |
| This guide explains how to migrate from Programmatic API Key (PAK) resources to Service Account (SA) resources. | |
| **Note:** Migration to Service Accounts is **not required**. If you are currently using API Key resources, you may continue to do so. This guide is for users who wish to adopt Service Accounts for greater security or best practices, but existing PAK configurations will continue to work and be supported. | |
|
|
||
| | PAK Resource | Service Account Resource | Notes | | ||
| |--------------|-------------------------|-------| | ||
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | Organization-level API key / Service Account | |
Collaborator
There was a problem hiding this comment.
Suggested change
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | Organization-level API key / Service Account | | |
| | `mongodbatlas_api_key` | `mongodbatlas_service_account` | API key / Service Account | |
|
|
||
| ### Step 1: Initial State - PAK Resources Only | ||
|
|
||
| This is your starting configuration with organization-level PAK resources (org PAK + assignment to project + access list entry): |
Collaborator
There was a problem hiding this comment.
Suggested change
| This is your starting configuration with organization-level PAK resources (org PAK + assignment to project + access list entry): | |
| Original configuration with organization-level PAK resources: |
|
|
||
| For complete working examples, see the [organization-level migration example](https://github.com/mongodb/terraform-provider-mongodbatlas/tree/master/examples/migrate_pak_to_service_account/org_level). | ||
|
|
||
| ### Step 1: Initial State - PAK Resources Only |
Collaborator
There was a problem hiding this comment.
Suggested change
| ### Step 1: Initial State - PAK Resources Only | |
| ### Step 1: Initial Configuration - PAK Resources Only |
| This is your starting configuration with organization-level PAK resources (org PAK + assignment to project + access list entry): | ||
|
|
||
| ```terraform | ||
| # Organization-level Programmatic API Key |
Collaborator
There was a problem hiding this comment.
I think we can avoid repeating "organization-level" so often. Should be clear since we are in the "Organization-Level API Keys to Service Accounts" section.
Changing the api key description to not say "for project access" may help.
|
|
||
| --- | ||
|
|
||
| - **Important:** The Service Account secret is only returned once at creation time. Make sure to save it securely before proceeding. |
Collaborator
There was a problem hiding this comment.
Bit out of place, I think you can remove
| <details> | ||
| <summary><span style="font-size:1.4em; font-weight:bold;">Project-Level Migration</span></summary> | ||
|
|
||
| ## Project-Level API Keys to Service Accounts |
Collaborator
There was a problem hiding this comment.
Assume same comments as for Org-level steps
| @@ -0,0 +1,9 @@ | |||
| terraform { | |||
| required_version = ">= 1.7.0" | |||
| description = "The secret value of the first secret created with the service account. Only available after initial creation." | ||
| value = try(mongodbatlas_service_account.example.secrets[0].secret, null) | ||
| sensitive = true | ||
| } No newline at end of file |
| @@ -0,0 +1,19 @@ | |||
| # Combined Example: Organization-Level PAK → Service Account | |||
Collaborator
There was a problem hiding this comment.
Given that we don't have readmes with instructions in the subfolders, I suggest following this style of readme here instead: examples/migrate_atlas_user_and_atlas_users/README.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The guide should follows the following steps:
Link to any related issue(s):
Type of change:
Required Checklist:
Further comments