CLOUDP-329789: add service account example

.github/workflows/test.yml

@@ -12,6 +12,7 @@ env:
   MONGODB_ATLAS_ORG_ID: ${{ secrets.ORG_ID }}
   MONGODB_ATLAS_PROJECT_ID: ${{ secrets.PROJECT_ID }}
   MONGODB_ATLAS_OPS_MANAGER_URL: ${{ vars.CLOUD_DEV_URL }}
+  MONGODB_ATLAS_SILENCE_STORAGE_WARNING: "true"
 jobs:
   no-version:
     name: Use AtlasCLI without version input
@@ -107,3 +108,40 @@ jobs:
         with:
           delete-project-id: ${{ steps.create-project.outputs.create-project-id }}
           delete-cluster-name: ${{github.run_id}}-cluster
+
+  service-account-authentication:
+    name: Setup a Service Account and create a project
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create a Service Account and get client ID and client secret
+        id: generate_sa
+        run: |
+          bash build/generate-service-account.sh
+      - name: Create a project
+        env: 
+            MONGODB_ATLAS_PUBLIC_API_KEY: "" # Temporarily set to empty so that the action uses the client ID and client secret
+            MONGODB_ATLAS_PRIVATE_API_KEY: "" 
+            MONGODB_ATLAS_CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }}
+            MONGODB_ATLAS_CLIENT_SECRET: ${{ steps.generate_sa.outputs.client-secret }}
+        uses: mongodb/atlas-github-action@v0.2.0
+        id: create-project
+        with:
+          create-project-name: ${{ github.run_id }}-project3
+      - name: Delete a project
+        env: 
+            MONGODB_ATLAS_PUBLIC_API_KEY: ""
+            MONGODB_ATLAS_PRIVATE_API_KEY: ""
+            MONGODB_ATLAS_CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }}
+            MONGODB_ATLAS_CLIENT_SECRET: ${{ steps.generate_sa.outputs.client-secret }}
+        uses: mongodb/atlas-github-action@v0.2.0
+        with:
+          delete-project-id: ${{ steps.create-project.outputs.create-project-id }}
+
+      - name: Delete the Service Account
+        env:
+          CLIENT_ID: ${{ steps.generate_sa.outputs.client-id }}
+        run: |
+          bash build/terminate-service-account.sh

README.md

@@ -16,10 +16,13 @@ latest version is officially supported.
 
 Before you begin, complete the following prerequisites:
 
-1. [Configure Atlas CLI API Keys](https://www.mongodb.com/docs/atlas/configure-api-access/) for your organization or project.
-2. Add the API Keys to the [repository secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets).
-3. Set the environment variables `MONGODB_ATLAS_PUBLIC_API_KEY` and `MONGODB_ATLAS_PRIVATE_API_KEY` to the Atlas CLI API Keys you configured.
-See [Atlas CLI Environment Variables](https://www.mongodb.com/docs/atlas/cli/stable/atlas-cli-env-variables/) for all supported environment variables.
+1. [Configure programmatic authenticaiton](https://www.mongodb.com/docs/atlas/configure-api-access/) for your organization or project.
+2. Add the authentication credentials to the [repository secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets).
+3. In your workflow, set the appropriate environment variables using the secrets you configured in step 2.  
+   - For Service Account authentication, set `MONGODB_ATLAS_CLIENT_ID` and `MONGODB_ATLAS_CLIENT_SECRET`.  
+   - For API key authentication, set `MONGODB_ATLAS_PUBLIC_API_KEY` and `MONGODB_ATLAS_PRIVATE_API_KEY`.  
+
+   See [Atlas CLI Environment Variables](https://www.mongodb.com/docs/atlas/cli/stable/atlas-cli-env-variables/) for all supported environment variables.
 
 ## Configuration
 
@@ -49,7 +52,7 @@ jobs:
 ```
 
 ### Setup and Teardown
-This workflow sets up a project and creates a free cluster. It retrieves the connection string which can be used to connect to the new cluster.
+This workflow sets up a project and creates a free cluster using an API Key to authenticate. It retrieves the connection string which can be used to connect to the new cluster.
 Afterwards, it deletes the project and cluster.
 ```yaml
 on: [push]
@@ -92,6 +95,38 @@ jobs:
           delete-cluster-name: test-cluster
 ```
 
+### List Clusters with Service Account Credentials
+This workflow uses Service Account credentials to authenticate and lists all clusters in a specified project. The output is saved to a file for later use.
+
+```yaml
+on: [push]
+
+name: Atlas CLI List Clusters Example
+
+env:
+  MONGODB_ATLAS_CLIENT_ID: ${{ secrets.CLIENT_ID }}
+  MONGODB_ATLAS_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
+  MONGODB_ATLAS_ORG_ID: ${{ secrets.ORG_ID }} # default organisation ID
+  MONGODB_ATLAS_PROJECT_ID: ${{ secrets.PROJECT_ID }} # default project ID
+
+jobs:
+  list-clusters:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Setup AtlasCLI
+        uses: mongodb/atlas-github-action@v0.2.0
+      - name: List Clusters
+        shell: bash
+        run: |
+          atlas cluster list --projectId "$MONGODB_ATLAS_PROJECT_ID" --output json > clusters.json
+      - name: Upload Cluster List
+        uses: actions/upload-artifact@v4
+        with:
+          name: clusters-list
+          path: clusters.json
+```
+
 
 ## Limitations
 This Action supports only Linux runners (e.g. ubuntu-latest).

build/generate-service-account.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -z "$MONGODB_ATLAS_PUBLIC_API_KEY" ]; then
+  echo "MONGODB_ATLAS_PUBLIC_API_KEY env var is not set"
+  exit 1
+fi
+if [ -z "$MONGODB_ATLAS_PRIVATE_API_KEY" ]; then
+  echo "MONGODB_ATLAS_PRIVATE_API_KEY env var is not set"
+  exit 1
+fi
+if [ -z "$MONGODB_ATLAS_ORG_ID" ]; then
+  echo "MONGODB_ATLAS_ORG_ID env var is not set"
+  exit 1
+fi
+if [ -z "$MONGODB_ATLAS_OPS_MANAGER_URL" ]; then
+  echo "MONGODB_ATLAS_ORG_ID env var is not set"
+  exit 1
+fi
+
+output=$(
+    curl --user "${MONGODB_ATLAS_PUBLIC_API_KEY}:${MONGODB_ATLAS_PRIVATE_API_KEY}" \
+    --digest \
+    --header "Accept: application/vnd.atlas.2025-03-12+json" \
+    --header "Content-Type: application/json" \
+    -X POST "${MONGODB_ATLAS_OPS_MANAGER_URL}api/atlas/v2/orgs/${MONGODB_ATLAS_ORG_ID}/serviceAccounts" \
+    -d '{
+    "description": "test service account for atlascli github actions",
+    "name": "atlascli-github-actions-service-account",
+    "roles": [
+        "ORG_OWNER"
+    ],
+    "secretExpiresAfterHours": 8
+    }'
+)
+
+client_id=$(echo "$output" | jq -r '.clientId')
+client_secret=$(echo "$output" | jq -r '.secrets[0].secret')
+
+if [ -z "$client_id" ] || [ "$client_id" = "null" ] || [ -z "$client_secret" ] || [ "$client_secret" = "null" ]; then
+  echo "Failed to create service account. Response:"
+  echo "$output"
+  exit 1
+else
+  echo "Service account with client ID $client_id created successfully."
+fi
+
+echo "client-id=$client_id" >> "$GITHUB_OUTPUT"
+echo "client-secret=$client_secret" >> "$GITHUB_OUTPUT"

build/terminate-service-account.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -z "$MONGODB_ATLAS_PUBLIC_API_KEY" ]; then
+  echo "MONGODB_ATLAS_PUBLIC_API_KEY env var is not set"
+  exit 1
+fi
+if [ -z "$MONGODB_ATLAS_PRIVATE_API_KEY" ]; then
+  echo "MONGODB_ATLAS_PRIVATE_API_KEY env var is not set"
+  exit 1
+fi
+if [ -z "$MONGODB_ATLAS_ORG_ID" ]; then
+  echo "MONGODB_ATLAS_ORG_ID env var is not set"
+  exit 1
+fi
+if [ -z "$CLIENT_ID" ]; then
+  echo "CLIENT_ID env var is not set"
+  exit 1
+fi
+
+output=$(
+    curl --user "${MONGODB_ATLAS_PUBLIC_API_KEY}:${MONGODB_ATLAS_PRIVATE_API_KEY}" \
+    --digest \
+    --header "Accept: application/vnd.atlas.2025-03-12+json" \
+    --header "Content-Type: application/json" \
+    -X DELETE "https://cloud.mongodb.com/api/atlas/v2/orgs/${MONGODB_ATLAS_ORG_ID}/serviceAccounts/${CLIENT_ID}"
+)
+error_code=$(echo "$output" | jq -r '.error')
+
+if [ "$error_code" -ge 300 ]; then
+  echo "Failed to delete service account with Client ID $CLIENT_ID. Response:"
+  echo "$output"
+  exit 1
+else
+  echo "Service account with Client ID $CLIENT_ID has been deleted successfully."
+fi