DocumentDB Elastic db.createUser() failing in $external

Question

Hi, I'm trying to create a iam role user in documentdb elastic with mongo shell version v5.0.31(via ssh tunnel) but I'm getting error. Creating a local user on another database has no issue. Does anyone have an idea what could I be missing?

```
$ mongo --tls --username clusteradmin --password --host documentdb-3773784848943.up-north-1.docdb-elastic.amazonaws.com --tlsCAFile global-bundle.pem --tlsAllowInvalidCertificates
MongoDB shell version v5.0.31
Enter password: 
connecting to: mongodb://documentdb-3773784848943.up-north-1.docdb-elastic.amazonaws.com:27017/?compressors=disabled&gssapiServiceName=mongodb
{"t":{"$date":"2025-05-17T11:14:27.319Z"},"s":"I",  "c":"NETWORK",  "id":5490002, "ctx":"thread4","msg":"Started a new thread for the timer service"}
{"t":{"$date":"2025-05-17T11:14:27.493Z"},"s":"W",  "c":"NETWORK",  "id":23235,   "ctx":"js","msg":"SSL peer certificate validation failed","attr":{"reason":"unable to get local issuer certificate"}}
Implicit session: session { "id" : UUID("2f0dd123-d123-1234-2341-dd1234dbfaa6") }
MongoDB server version: 5.0.0
================
Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
mongos> use $external;
switched to db $external
mongos> db.createUser(
...     {
...         user: "arn:aws:iam::396604158966:role/docdb_conntest_role",
...         mechanisms: ["MONGODB-AWS"],
...         roles: [ { role: "dbOwner", db: "conntestdb" } ]
...     }
... );
uncaught exception: Error: couldn't add user: Database name {$external} contains one or more invalid characters. Unsupported Characters are {[/\."$*<>:|? ]} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createUser@src/mongo/shell/db.js:1367:11
@(shell):1:1
```

re:Post Agent · Answer

The error you're encountering suggests that there might be some limitations or differences in how IAM authentication is implemented in DocumentDB Elastic compared to the standard DocumentDB.

For DocumentDB Elastic clusters, the process of creating IAM users might be different. Instead of using the `$external` database, you may need to create the IAM user directly in the database where you want to grant permissions.

Try the following approach:

1. Connect to your cluster as you did before.

2. Switch to the database where you want to grant permissions (in your case, "conntestdb"):

```
   use conntestdb
   ```

3. Then create the user with the IAM role:

```
   db.createUser(
       {
           user: "arn:aws:iam::396604158966:role/docdb_conntest_role",
           mechanisms: ["MONGODB-AWS"],
           roles: [ { role: "dbOwner", db: "conntestdb" } ]
       }
   )
   ```

If this doesn't work, you might need to consult the specific documentation for DocumentDB Elastic or contact AWS support, as the IAM authentication process might differ from the standard DocumentDB implementation.

Also, ensure that:

1. Your IAM role has the necessary permissions to access the DocumentDB cluster.
2. The cluster's security group allows incoming connections from your IP address.
3. You're using the latest version of the MongoDB shell that's compatible with DocumentDB Elastic.

If you continue to face issues, you may want to try using the AWS CLI or SDK to manage IAM authentication for your DocumentDB Elastic cluster, as these methods might be more reliably supported.  
**Sources**  
[Authentication using IAM identity - Amazon DocumentDB](https://docs.aws.amazon.com/documentdb/latest/developerguide/iam-identity-auth.html)  
[Managing Amazon DocumentDB users - Amazon DocumentDB](https://docs.aws.amazon.com/documentdb/latest/developerguide/security.managing-users.html)

DocumentDB Elastic db.createUser() failing in $external

Ajoutez votre réponse

Contenus pertinents