1===========
2MongoDB AWS
3===========
4
5There are 5 scenarios drivers MUST test:
6
7#. ``Regular Credentials``: Auth via an ``ACCESS_KEY_ID`` and ``SECRET_ACCESS_KEY`` pair
8#. ``EC2 Credentials``: Auth from an EC2 instance via temporary credentials assigned to the machine
9#. ``ECS Credentials``: Auth from an ECS instance via temporary credentials assigned to the task
10#. ``Assume Role``: Auth via temporary credentials obtained from an STS AssumeRole request
11#. ``AWS Lambda``: Auth via environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and ``AWS_SESSION_TOKEN``.
12
13For brevity, this section gives the values ``<AccessKeyId>``, ``<SecretAccessKey>`` and ``<Token>`` in place of a valid access key ID, secret access key and session token (also known as a security token). Note that if these values are passed into the URI they MUST be URL encoded. Sample values are below.
14
15.. code-block::
16
17 AccessKeyId=AKIAI44QH8DHBEXAMPLE
18 SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
19 Token=AQoDYXdzEJr...<remainder of security token>
20|
21.. sectnum::
22
23Regular credentials
24======================
25
26Drivers MUST be able to authenticate by providing a valid access key id and secret access key pair as the username and password, respectively, in the MongoDB URI. An example of a valid URI would be:
27
28.. code-block::
29
30 mongodb://<AccessKeyId>:<SecretAccessKey>@localhost/?authMechanism=MONGODB-AWS
31|
32EC2 Credentials
33===============
34
35Drivers MUST be able to authenticate from an EC2 instance via temporary credentials assigned to the machine. A sample URI on an EC2 machine would be:
36
37.. code-block::
38
39 mongodb://localhost/?authMechanism=MONGODB-AWS
40|
41.. note:: No username, password or session token is passed into the URI. Drivers MUST query the EC2 instance endpoint to obtain these credentials.
42
43ECS instance
44============
45
46Drivers MUST be able to authenticate from an ECS container via temporary credentials. A sample URI in an ECS container would be:
47
48.. code-block::
49
50 mongodb://localhost/?authMechanism=MONGODB-AWS
51|
52.. note:: No username, password or session token is passed into the URI. Drivers MUST query the ECS container endpoint to obtain these credentials.
53
54AssumeRole
55==========
56
57Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary credentials consist of an access key ID, a secret access key, and a security token passed into the URI. A sample URI would be:
58
59.. code-block::
60
61 mongodb://<AccessKeyId>:<SecretAccessKey>@localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<Token>
62|
63AWS Lambda
64==========
65
66Drivers MUST be able to authenticate via an access key ID, secret access key and optional session token taken from the environment variables, respectively:
67
68.. code-block::
69
70 AWS_ACCESS_KEY_ID
71 AWS_SECRET_ACCESS_KEY
72 AWS_SESSION_TOKEN
73|
74
75Sample URIs both with and without optional session tokens set are shown below. Drivers MUST test both cases.
76
77.. code-block:: bash
78
79 # without a session token
80 export AWS_ACCESS_KEY_ID="<AccessKeyId>"
81 export AWS_SECRET_ACCESS_KEY="<SecretAccessKey>"
82
83 URI="mongodb://localhost/?authMechanism=MONGODB-AWS"
84|
85.. code-block:: bash
86
87 # with a session token
88 export AWS_ACCESS_KEY_ID="<AccessKeyId>"
89 export AWS_SECRET_ACCESS_KEY="<SecretAccessKey>"
90 export AWS_SESSION_TOKEN="<Token>"
91
92 URI="mongodb://localhost/?authMechanism=MONGODB-AWS"
93|
94.. note:: No username, password or session token is passed into the URI. Drivers MUST check the environment variables listed above for these values. If the session token is set Drivers MUST use it.
View as plain text