diff --git a/packages/shell-api/src/database.spec.ts b/packages/shell-api/src/database.spec.ts
index 03affaef36..d733e01c1e 100644
--- a/packages/shell-api/src/database.spec.ts
+++ b/packages/shell-api/src/database.spec.ts
@@ -499,6 +499,15 @@ describe('Database', () => {
         expect(catchedError.code).to.equal(CommonErrors.InvalidArgument);
       });
 
+      it('throws if password is missing on database other than $external', async() => {
+        const catchedError = await database.createUser({
+          user: 'anna'
+        }).catch(e => e);
+        expect(catchedError).to.be.instanceOf(MongoshInvalidInputError);
+        expect(catchedError.message).to.contain('Missing required property: "roles"');
+        expect(catchedError.code).to.equal(CommonErrors.InvalidArgument);
+      });
+
       it('throws if createUser option is provided', async() => {
         const catchedError = await database.createUser({
           user: 'anna',
@@ -510,6 +519,47 @@ describe('Database', () => {
         expect(catchedError.message).to.contain('Cannot set createUser field in helper method');
         expect(catchedError.code).to.equal(CommonErrors.InvalidArgument);
       });
+
+      context('on $external database', () => {
+        beforeEach(() => {
+          database = new Database(mongo, '$external');
+        });
+
+        it('can create a user without password', async() => {
+          await database.createUser({
+            user: 'CN=Client,OU=Public-Client,O=MongoDB',
+            roles: [
+              { role: 'root', db: 'admin' }
+            ]
+          });
+          expect(serviceProvider.runCommandWithCheck).to.have.been.calledWith(
+            database._name,
+            {
+              createUser: 'CN=Client,OU=Public-Client,O=MongoDB',
+              roles: [
+                { role: 'root', db: 'admin' }
+              ]
+            }
+          );
+        });
+
+        it('throws an error when a password is specified', async() => {
+          try {
+            await database.createUser({
+              user: 'CN=Client,OU=Public-Client,O=MongoDB',
+              pwd: 'nope',
+              roles: [
+                { role: 'root', db: 'admin' }
+              ]
+            });
+          } catch (e) {
+            expect(e).to.be.instanceOf(MongoshInvalidInputError);
+            expect(e.message).to.contain('Cannot set password');
+            return;
+          }
+          expect.fail('Expected error');
+        });
+      });
     });
     describe('updateUser', () => {
       it('calls serviceProvider.runCommandWithCheck on the database with extra fields and no passwordDigestor', async() => {
diff --git a/packages/shell-api/src/database.ts b/packages/shell-api/src/database.ts
index c0201e6ab5..693e6a1c85 100644
--- a/packages/shell-api/src/database.ts
+++ b/packages/shell-api/src/database.ts
@@ -334,7 +334,16 @@ export default class Database extends ShellApiClass {
   @returnsPromise
   async createUser(user: Document, writeConcern?: WriteConcern): Promise<Document> {
     assertArgsDefined(user);
-    assertKeysDefined(user, ['user', 'roles', 'pwd']);
+    assertKeysDefined(user, ['user', 'roles']);
+
+    if (this._name === '$external') {
+      if ('pwd' in user) {
+        throw new MongoshInvalidInputError('Cannot set password for users on the $external database', CommonErrors.InvalidArgument);
+      }
+    } else {
+      assertKeysDefined(user, ['pwd']);
+    }
+
     this._emitDatabaseApiCall('createUser', {});
     if (user.createUser) {
       throw new MongoshInvalidInputError('Cannot set createUser field in helper method', CommonErrors.InvalidArgument);