=========== MongoDB AWS =========== There are 5 scenarios drivers MUST test: #. ``Regular Credentials``: Auth via an ``ACCESS_KEY_ID`` and ``SECRET_ACCESS_KEY`` pair #. ``EC2 Credentials``: Auth from an EC2 instance via temporary credentials assigned to the machine #. ``ECS Credentials``: Auth from an ECS instance via temporary credentials assigned to the task #. ``Assume Role``: Auth via temporary credentials obtained from an STS AssumeRole request #. ``AWS Lambda``: Auth via environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and ``AWS_SESSION_TOKEN``. For brevity, this section gives the values ````, ```` and ```` in place of a valid access key ID, secret access key and session token (also known as a security token). Note that if these values are passed into the URI they MUST be URL encoded. Sample values are below. .. code-block:: AccessKeyId=AKIAI44QH8DHBEXAMPLE SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Token=AQoDYXdzEJr... | .. sectnum:: Regular credentials ====================== Drivers MUST be able to authenticate by providing a valid access key id and secret access key pair as the username and password, respectively, in the MongoDB URI. An example of a valid URI would be: .. code-block:: mongodb://:@localhost/?authMechanism=MONGODB-AWS | EC2 Credentials =============== Drivers MUST be able to authenticate from an EC2 instance via temporary credentials assigned to the machine. A sample URI on an EC2 machine would be: .. code-block:: mongodb://localhost/?authMechanism=MONGODB-AWS | .. note:: No username, password or session token is passed into the URI. Drivers MUST query the EC2 instance endpoint to obtain these credentials. ECS instance ============ Drivers MUST be able to authenticate from an ECS container via temporary credentials. A sample URI in an ECS container would be: .. code-block:: mongodb://localhost/?authMechanism=MONGODB-AWS | .. note:: No username, password or session token is passed into the URI. Drivers MUST query the ECS container endpoint to obtain these credentials. AssumeRole ========== Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary credentials consist of an access key ID, a secret access key, and a security token passed into the URI. A sample URI would be: .. code-block:: mongodb://:@localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN: | AWS Lambda ========== Drivers MUST be able to authenticate via an access key ID, secret access key and optional session token taken from the environment variables, respectively: .. code-block:: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN | Sample URIs both with and without optional session tokens set are shown below. Drivers MUST test both cases. .. code-block:: bash # without a session token export AWS_ACCESS_KEY_ID="" export AWS_SECRET_ACCESS_KEY="" URI="mongodb://localhost/?authMechanism=MONGODB-AWS" | .. code-block:: bash # with a session token export AWS_ACCESS_KEY_ID="" export AWS_SECRET_ACCESS_KEY="" export AWS_SESSION_TOKEN="" URI="mongodb://localhost/?authMechanism=MONGODB-AWS" | .. note:: No username, password or session token is passed into the URI. Drivers MUST check the environment variables listed above for these values. If the session token is set Drivers MUST use it.