1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
===========
MongoDB AWS
===========
There are 5 scenarios drivers MUST test:
#. ``Regular Credentials``: Auth via an ``ACCESS_KEY_ID`` and ``SECRET_ACCESS_KEY`` pair
#. ``EC2 Credentials``: Auth from an EC2 instance via temporary credentials assigned to the machine
#. ``ECS Credentials``: Auth from an ECS instance via temporary credentials assigned to the task
#. ``Assume Role``: Auth via temporary credentials obtained from an STS AssumeRole request
#. ``AWS Lambda``: Auth via environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and ``AWS_SESSION_TOKEN``.
For brevity, this section gives the values ``<AccessKeyId>``, ``<SecretAccessKey>`` and ``<Token>`` in place of a valid access key ID, secret access key and session token (also known as a security token). Note that if these values are passed into the URI they MUST be URL encoded. Sample values are below.
.. code-block::
AccessKeyId=AKIAI44QH8DHBEXAMPLE
SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Token=AQoDYXdzEJr...<remainder of security token>
|
.. sectnum::
Regular credentials
======================
Drivers MUST be able to authenticate by providing a valid access key id and secret access key pair as the username and password, respectively, in the MongoDB URI. An example of a valid URI would be:
.. code-block::
mongodb://<AccessKeyId>:<SecretAccessKey>@localhost/?authMechanism=MONGODB-AWS
|
EC2 Credentials
===============
Drivers MUST be able to authenticate from an EC2 instance via temporary credentials assigned to the machine. A sample URI on an EC2 machine would be:
.. code-block::
mongodb://localhost/?authMechanism=MONGODB-AWS
|
.. note:: No username, password or session token is passed into the URI. Drivers MUST query the EC2 instance endpoint to obtain these credentials.
ECS instance
============
Drivers MUST be able to authenticate from an ECS container via temporary credentials. A sample URI in an ECS container would be:
.. code-block::
mongodb://localhost/?authMechanism=MONGODB-AWS
|
.. note:: No username, password or session token is passed into the URI. Drivers MUST query the ECS container endpoint to obtain these credentials.
AssumeRole
==========
Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary credentials consist of an access key ID, a secret access key, and a security token passed into the URI. A sample URI would be:
.. code-block::
mongodb://<AccessKeyId>:<SecretAccessKey>@localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<Token>
|
AWS Lambda
==========
Drivers MUST be able to authenticate via an access key ID, secret access key and optional session token taken from the environment variables, respectively:
.. code-block::
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
|
Sample URIs both with and without optional session tokens set are shown below. Drivers MUST test both cases.
.. code-block:: bash
# without a session token
export AWS_ACCESS_KEY_ID="<AccessKeyId>"
export AWS_SECRET_ACCESS_KEY="<SecretAccessKey>"
URI="mongodb://localhost/?authMechanism=MONGODB-AWS"
|
.. code-block:: bash
# with a session token
export AWS_ACCESS_KEY_ID="<AccessKeyId>"
export AWS_SECRET_ACCESS_KEY="<SecretAccessKey>"
export AWS_SESSION_TOKEN="<Token>"
URI="mongodb://localhost/?authMechanism=MONGODB-AWS"
|
.. note:: No username, password or session token is passed into the URI. Drivers MUST check the environment variables listed above for these values. If the session token is set Drivers MUST use it.
|
