IAM authentication to DocumentDB

Question

Hi -
I'm following the following sample: https://github.com/aws-samples/amazon-documentdb-samples/tree/master/samples/iam_user_sample_code
I have gotten the example to work for the mongo shell:
mongo --version
MongoDB shell version v5.0.30
Build Info: {
    "version": "5.0.30",
    "gitVersion": "966efda23d779a86c76c34e1b13e561d68f2bb37",
    "openSSLVersion": "OpenSSL 1.0.2k-fips  26 Jan 2017",
    "modules": [],
    "allocator": "tcmalloc",
    "environment": {
        "distmod": "amazon",
        "distarch": "x86_64",
        "target_arch": "x86_64"
    }
}

However, I want to use the latest mongo shell:
mongosh --version
2.3.4

With mongo there is NO issue with authentication for both User and Role based tests.
However, with mongosh I receive "MongoServerError: Authentication failed." The only change I made was changing mongo to be mongosh.
Any guidance on getting this to work would be appreciated.

Thanks

re:Post Agent · Answer

The issue you're experiencing with mongosh (MongoDB Shell version 2.3.4) not working for IAM authentication while the older mongo shell (version 5.0.30) works is likely due to differences in how these versions handle the MONGODB-AWS authentication mechanism.

To resolve this issue and use IAM authentication with the latest mongosh, you need to make a few adjustments:

1. Ensure you have the latest version of mongosh installed.

2. When connecting, you need to explicitly specify the authentication mechanism and source. Modify your connection string to include the following parameters:

- authMechanism=MONGODB-AWS
   - authSource=$external

3. Make sure you have the AWS CLI configured with the correct credentials or that you're running in an environment with the appropriate IAM role attached (e.g., EC2 instance with an IAM role).

4. Your connection string should look something like this:

mongosh "mongodb://:27017/?authMechanism=MONGODB-AWS&authSource=$external"

5. If you're passing credentials explicitly (not recommended for production use), the format would be:

mongosh "mongodb://:@:27017/?authMechanism=MONGODB-AWS&authSource=$external"

6. Remember to use TLS/SSL when connecting to Amazon DocumentDB. You may need to include the `tls=true` and `tlsCAFile` parameters in your connection string, pointing to the Amazon DocumentDB certificate file.

If you're still encountering issues after making these changes, double-check your IAM permissions and ensure that your IAM user or role has the necessary permissions to access the DocumentDB cluster.

Also, verify that your Amazon DocumentDB cluster is running version 5.0 or later, as IAM authentication is only supported in these versions.

By following these steps, you should be able to successfully authenticate to Amazon DocumentDB using IAM with the latest mongosh version.  
**Sources**  
[Authentication using IAM identity - Amazon DocumentDB](https://docs.aws.amazon.com/documentdb/latest/developerguide/iam-identity-auth.html)  
[Use IAM authentication with Amazon DocumentDB (with MongoDB compatibility) | AWS Database Blog](https://aws.amazon.com/blogs/database/use-iam-authentication-with-amazon-documentdb-with-mongodb-compatibility/)  
[Amazon DocumentDB announces IAM database authentication - AWS](https://aws.amazon.com/about-aws/whats-new/2024/06/amazon-documentdb-iam-database-authentication/)

IAM authentication to DocumentDB

回答を追加する

関連するコンテンツ