Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM authentication to DocumentDB

0

Hi - I'm following the following sample: https://github.com/aws-samples/amazon-documentdb-samples/tree/master/samples/iam_user_sample_code I have gotten the example to work for the mongo shell: mongo --version MongoDB shell version v5.0.30 Build Info: { "version": "5.0.30", "gitVersion": "966efda23d779a86c76c34e1b13e561d68f2bb37", "openSSLVersion": "OpenSSL 1.0.2k-fips 26 Jan 2017", "modules": [], "allocator": "tcmalloc", "environment": { "distmod": "amazon", "distarch": "x86_64", "target_arch": "x86_64" } }

However, I want to use the latest mongo shell: mongosh --version 2.3.4

With mongo there is NO issue with authentication for both User and Role based tests. However, with mongosh I receive "MongoServerError: Authentication failed." The only change I made was changing mongo to be mongosh. Any guidance on getting this to work would be appreciated.

Thanks

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
asked a year ago895 views
1 Answer
0

The issue you're experiencing with mongosh (MongoDB Shell version 2.3.4) not working for IAM authentication while the older mongo shell (version 5.0.30) works is likely due to differences in how these versions handle the MONGODB-AWS authentication mechanism.

To resolve this issue and use IAM authentication with the latest mongosh, you need to make a few adjustments:

  1. Ensure you have the latest version of mongosh installed.

  2. When connecting, you need to explicitly specify the authentication mechanism and source. Modify your connection string to include the following parameters:

    • authMechanism=MONGODB-AWS
    • authSource=$external

  3. Make sure you have the AWS CLI configured with the correct credentials or that you're running in an environment with the appropriate IAM role attached (e.g., EC2 instance with an IAM role).

  4. Your connection string should look something like this:

    mongosh "mongodb://<your-docdb-endpoint>:27017/?authMechanism=MONGODB-AWS&authSource=$external"

  5. If you're passing credentials explicitly (not recommended for production use), the format would be:

    mongosh "mongodb://<ACCESS_KEY>:<SECRET_KEY>@<your-docdb-endpoint>:27017/?authMechanism=MONGODB-AWS&authSource=$external"

  6. Remember to use TLS/SSL when connecting to Amazon DocumentDB. You may need to include the tls=true and tlsCAFile parameters in your connection string, pointing to the Amazon DocumentDB certificate file.

If you're still encountering issues after making these changes, double-check your IAM permissions and ensure that your IAM user or role has the necessary permissions to access the DocumentDB cluster.

Also, verify that your Amazon DocumentDB cluster is running version 5.0 or later, as IAM authentication is only supported in these versions.

By following these steps, you should be able to successfully authenticate to Amazon DocumentDB using IAM with the latest mongosh version.
Sources
Authentication using IAM identity - Amazon DocumentDB
Use IAM authentication with Amazon DocumentDB (with MongoDB compatibility) | AWS Database Blog
Amazon DocumentDB announces IAM database authentication - AWS

answered a year ago
  • DFreeman
    a year ago

    Here are the 2 command strings I used:

    #Authentication failure mongosh 'mongodb://<ACCESS_KEY>:<SECRET_KEY>@<your-docdb-endpoint>:27017/allowed_db_1?authSource=%24external&authMechanism=MONGODB-AWS' --tlsCAFile global-bundle.pem --tls

    #Authentication Success mongo 'mongodb://<ACCESS_KEY>:<SECRET_KEY>@<your-docdb-endpoint>:27017/allowed_db_1?authSource=%24external&authMechanism=MONGODB-AWS' --tlsCAFile global-bundle.pem --tls

    The same holds true for Role based authentication.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content