CLOUDP-304203: Add support to Service Accounts (#4130)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Melanija Cvetic <119604954+cveticm@users.noreply.github.com>
Co-authored-by: Jeroen Vervaeke <9132134+jeroenvervaeke@users.noreply.github.com>
Co-authored-by: Wesley Nabo <102980553+Waybo26@users.noreply.github.com>
Co-authored-by: Filipe Constantinov Menezes <filipe.menezes@mongodb.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: apix-bot[bot] <168195273+apix-bot[bot]@users.noreply.github.com>
Co-authored-by: Jeroen Vervaeke <jeroen.vervaeke@mongodb.com>

Author: 7 people

.golangci.yml

@@ -145,6 +145,8 @@ linters:
           alias: storeTransport
         - pkg: github.com/mongodb/mongodb-atlas-cli/atlascli/tools/shared/api
           alias: shared_api
+        - pkg: github.com/mongodb/atlas-cli-core/mocks
+          alias: coreMocks
       no-extra-aliases: true
     misspell:
       locale: US

SECURITY.md

@@ -2,7 +2,47 @@
 
 ## Reporting a Vulnerability
 
-Any security concerns or vulnerabilities discovered in one of MongoDB’s products or hosted services 
+Any security concerns or vulnerabilities discovered in one of MongoDB's products or hosted services 
 can be responsibly disclosed by utilizing one of the methods described in our [create a vulnerability report](https://docs.mongodb.com/manual/tutorial/create-a-vulnerability-report/) docs page.
 
 While we greatly appreciate community reports regarding security issues, at this time MongoDB does not provide compensation for vulnerability reports.
+
+## Credential Storage
+
+The MongoDB Atlas CLI uses a hybrid approach to store sensitive credentials, prioritizing security while maintaining compatibility across different environments and systems.
+
+### Secure Storage (Preferred)
+
+When available, the CLI uses your operating system's native keyring services to securely store sensitive credentials. This provides the highest level of security by leveraging OS-level encryption and access controls.
+
+**Credentials stored securely include:**
+- API Keys (public and private)
+- Access Tokens
+- Refresh Tokens  
+- Client ID and Client Secret
+
+**Supported platforms:**
+- **macOS**: Uses Keychain Services for secure credential storage
+- **Windows**: Integrates with Windows Credential Manager
+- **Linux**: Works with desktop [Secret Service](https://specifications.freedesktop.org/secret-service-spec/latest/) dbus interface
+
+### Insecure Storage (Fallback)
+
+If the operating system's keyring services are unavailable, the CLI automatically falls back to storing credentials in a local configuration file (`config.toml`). This ensures the CLI remains functional even in restricted environments.
+
+**Important security considerations for fallback storage:**
+- Credentials are stored in plain text in the configuration file
+
+### Checking Your Storage Method
+
+You can verify whether your CLI is using secure storage by running any `atlas` command. You'll see the message `Warning: Secure storage is not available, falling back to insecure storage`, when secure storage is not available.
+
+### Technical Implementation
+
+The CLI uses the [go-keyring](https://github.com/zalando/go-keyring) library to interface with OS keyring services. Each profile's credentials are stored under a service name prefixed with `atlascli_` (e.g., `atlascli_default` for the default profile).
+
+For detailed information about how your operating system manages keyring encryption and security:
+
+- **macOS Keychain**: [Apple Keychain Services Documentation](https://developer.apple.com/documentation/security/keychain_services)
+- **Windows Credential Manager**: [Windows Credential Manager Documentation](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/)
+- **Linux GNOME Keyring**: [GNOME Keyring Documentation](https://wiki.gnome.org/Projects/GnomeKeyring)

build/ci/evergreen.yml

@@ -685,6 +685,18 @@ tasks:
       - func: "e2e test"
         vars:
           E2E_TEST_PACKAGES: ./test/e2e/atlas/serverless/instance/...
+  - name: atlas_service_account_e2e
+    tags: ["e2e","generic","atlas"]
+    must_have_test_results: true
+    depends_on:
+      - name: compile
+        variant: "code_health"
+        patch_optional: true
+    commands:
+      - func: "install gotestsum"
+      - func: "e2e test"
+        vars:
+          E2E_TEST_PACKAGES: ./test/e2e/atlas/serviceAccount/...
   - name: atlas_gov_clusters_flags_e2e
     tags: ["e2e","clusters","atlasgov","foliage_check_task_only"]
     must_have_test_results: true
@@ -1365,6 +1377,25 @@ tasks:
               -e SNYK_CFG_ORG=${SNYK_ORG} \
               -v ${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/app \
               snyk/snyk:golang snyk monitor
+  # 
+  - name: atlas_config_migration_e2e
+    tags: ["e2e","config-migration"]
+    must_have_test_results: true
+    depends_on:
+      - name: compile
+        variant: "code_health"
+        patch_optional: true
+    commands:
+      - func: "install gotestsum"
+      - func: "e2e test"
+        vars:
+          MONGODB_ATLAS_ORG_ID: ${atlas_org_id}
+          MONGODB_ATLAS_PROJECT_ID: ${atlas_project_id}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${atlas_private_api_key}
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${atlas_public_api_key}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${mcli_ops_manager_url}
+          MONGODB_ATLAS_SERVICE: cloud
+          E2E_TEST_PACKAGES: ./test/e2e/config/migration/...
 task_groups:
   - name: atlas_deployments_windows_group
     setup_task:
@@ -1683,6 +1714,18 @@ buildvariants:
       - ubuntu2204-small
     tasks:
       - name: ".snyk"
+  - name: e2e_config_migration_macos_14
+    display_name: "E2E Config Migration Tests"
+    allowed_requesters: ["patch", "ad_hoc", "github_pr"]
+    tags:
+      - config-migration
+      - foliage_health
+    run_on:
+      - macos-14-arm64-docker
+    expansions:
+      <<: *go_linux_version
+    tasks:
+      - name: ".e2e .config-migration"
 patch_aliases:
   - alias: "localdev"
     variant_tags: ["localdev cron"]
@@ -1707,4 +1750,4 @@ git_tag_aliases:
     task: ".*"
 github_checks_aliases:
  - variant: ".*"
-   task: ".*"
+   task: ".*"

build/ci/library_owners.json

@@ -26,6 +26,7 @@
 	"github.com/mholt/archives": "apix-2",
 	"github.com/mongodb-forks/digest": "apix-2",
 	"github.com/mongodb-labs/cobra2snooty": "apix-2",
+	"github.com/mongodb/atlas-cli-core": "apix-2",
 	"github.com/Netflix/go-expect": "apix-2",
 	"github.com/PaesslerAG/jsonpath": "apix-2",
 	"github.com/pelletier/go-toml": "apix-2",
@@ -40,6 +41,7 @@
 	"github.com/stretchr/testify": "apix-2",
 	"github.com/tangzero/inflector": "apix-2",
 	"github.com/yuin/goldmark": "apix-2",
+	"github.com/zalando/go-keyring": "apix-2",
 	"go.mongodb.org/atlas-sdk/v20240530005": "apix-2",
 	"go.mongodb.org/atlas-sdk/v20250312006": "apix-2",
 	"go.mongodb.org/atlas": "apix-2",
@@ -50,6 +52,7 @@
 	"go.uber.org/mock": "apix-2",
 	"golang.org/x/mod": "apix-2",
 	"golang.org/x/net": "apix-2",
+	"golang.org/x/oauth2": "apix-2",
 	"golang.org/x/sys": "apix-2",
 	"golang.org/x/tools": "apix-2",
 	"google.golang.org/api": "apix-2",

build/package/purls.txt

@@ -1,3 +1,4 @@
+pkg:golang/al.essio.dev/pkg/shellescape@v1.5.1
 pkg:golang/cloud.google.com/go/auth/oauth2adapt@v0.2.8
 pkg:golang/cloud.google.com/go/auth@v0.16.5
 pkg:golang/cloud.google.com/go/compute/metadata@v0.8.0
@@ -38,16 +39,18 @@ pkg:golang/github.com/briandowns/spinner@v1.23.2
 pkg:golang/github.com/cli/go-gh/v2@v2.12.2
 pkg:golang/github.com/cli/safeexec@v1.0.0
 pkg:golang/github.com/cloudflare/circl@v1.6.1
+pkg:golang/github.com/danieljoos/wincred@v1.2.2
 pkg:golang/github.com/denisbrodbeck/machineid@v1.0.1
 pkg:golang/github.com/dsnet/compress@v0.0.2-0.20230904184137-39efe44ab707
 pkg:golang/github.com/ebitengine/purego@v0.8.4
 pkg:golang/github.com/fatih/color@v1.14.1
 pkg:golang/github.com/felixge/httpsnoop@v1.0.4
-pkg:golang/github.com/fsnotify/fsnotify@v1.8.0
+pkg:golang/github.com/fsnotify/fsnotify@v1.9.0
 pkg:golang/github.com/go-logr/logr@v1.4.3
 pkg:golang/github.com/go-logr/stdr@v1.2.2
 pkg:golang/github.com/go-ole/go-ole@v1.2.6
 pkg:golang/github.com/go-viper/mapstructure/v2@v2.4.0
+pkg:golang/github.com/godbus/dbus/v5@v5.1.0
 pkg:golang/github.com/golang-jwt/jwt/v5@v5.3.0
 pkg:golang/github.com/golang/snappy@v0.0.4
 pkg:golang/github.com/google/go-github/v61@v61.0.0
@@ -72,6 +75,7 @@ pkg:golang/github.com/mholt/archives@v0.1.3
 pkg:golang/github.com/mikelolasagasti/xz@v1.0.1
 pkg:golang/github.com/minio/minlz@v1.0.0
 pkg:golang/github.com/mongodb-forks/digest@v1.1.0
+pkg:golang/github.com/mongodb/atlas-cli-core@v0.0.0-20250822132614-230a610dbe0f
 pkg:golang/github.com/montanaflynn/stats@v0.7.1
 pkg:golang/github.com/nwaples/rardecode/v2@v2.1.0
 pkg:golang/github.com/pelletier/go-toml/v2@v2.2.3
@@ -97,6 +101,7 @@ pkg:golang/github.com/xdg-go/scram@v1.1.2
 pkg:golang/github.com/xdg-go/stringprep@v1.0.4
 pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78
 pkg:golang/github.com/yusufpapurcu/wmi@v1.2.4
+pkg:golang/github.com/zalando/go-keyring@v0.2.6
 pkg:golang/go.mongodb.org/atlas-sdk/v20240530005@v20240530005.0.0
 pkg:golang/go.mongodb.org/atlas-sdk/v20250312006@v20250312006.1.0
 pkg:golang/go.mongodb.org/atlas@v0.38.0

cmd/atlas/atlas.go

@@ -15,27 +15,31 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"os"
 	"strings"
 
 	"github.com/AlecAivazis/survey/v2/core"
+	"github.com/mongodb/atlas-cli-core/config"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/cli/commonerrors"
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/cli/root"
-	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config/migrations"
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/telemetry"
 	"github.com/spf13/cobra"
 )
 
 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
-func execute(rootCmd *cobra.Command) {
-	ctx := telemetry.NewContext()
+func execute(ctx context.Context, rootCmd *cobra.Command) {
 	// append here to avoid a recursive link on generated docs
 	rootCmd.Long += `
 
 To learn more, see our documentation: https://www.mongodb.com/docs/atlas/cli/stable/connect-atlas-cli/`
 	if cmd, err := rootCmd.ExecuteContextC(ctx); err != nil {
+		err := commonerrors.Check(err)
+		rootCmd.PrintErrln(rootCmd.ErrPrefix(), err)
 		if !telemetry.StartedTrackingCommand() {
 			telemetry.StartTrackingCommand(cmd, os.Args[1:])
 		}
@@ -48,12 +52,27 @@ To learn more, see our documentation: https://www.mongodb.com/docs/atlas/cli/sta
 }
 
 // loadConfig reads in config file and ENV variables if set.
-func loadConfig() error {
-	if err := config.LoadAtlasCLIConfig(); err != nil {
-		return fmt.Errorf("error loading config: %w. Please run `atlas config init` to reconfigure your profile", err)
+func loadConfig() (*config.Profile, error) {
+	// Migrate config to the latest version.
+	migrator := migrations.NewDefaultMigrator()
+	if err := migrator.Migrate(); err != nil {
+		return nil, fmt.Errorf("error migrating config: %w", err)
+	}
+
+	configStore, initErr := config.NewDefaultStore()
+
+	if initErr != nil {
+		return nil, fmt.Errorf("error loading config: %w. Please run `atlas auth login` to reconfigure your profile", initErr)
+	}
+
+	if !configStore.IsSecure() {
+		fmt.Fprintf(os.Stderr, "Warning: Secure storage is not available, falling back to insecure storage\n")
 	}
 
-	return nil
+	profile := config.NewProfile(config.DefaultProfile, configStore)
+	config.SetProfile(profile)
+
+	return profile, nil
 }
 
 func trackInitError(e error, rootCmd *cobra.Command) {
@@ -82,9 +101,18 @@ func main() {
 		core.DisableColor = true
 	}
 
+	// Load config
+	profile, loadProfileErr := loadConfig()
+
 	rootCmd := root.Builder()
 	initTrack(rootCmd)
-	trackInitError(loadConfig(), rootCmd)
+	trackInitError(loadProfileErr, rootCmd)
+
+	// Initialize context, attach
+	// - telemetry
+	// - profile
+	ctx := telemetry.NewContext()
+	config.WithProfile(ctx, profile)
 
-	execute(rootCmd)
+	execute(ctx, rootCmd)
 }

docs/command/atlas-auth-login.txt

@@ -14,6 +14,8 @@ atlas auth login
 
 Authenticate with MongoDB Atlas.
 
+This command allows you to authenticate with MongoDB Atlas using User Account, Service Account, or API Key authentication methods.
+
 Syntax
 ------
 
@@ -46,7 +48,7 @@ Options
    * - --noBrowser
      - 
      - false
-     - Don't try to open a browser session.
+     - Don't automatically open a browser session.
 
 Inherited Options
 -----------------