Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM Authentication failed to aws DocumentDB

0

Following the AWS DocumentDB guide here, I created an IAM user with the following command:

db.createUser(
    {
        user: "arn:aws:iam::<account_id>:user/iam_test_user",
        mechanisms: ["MONGODB-AWS"],
        roles: [ { role: "readWrite", db: "twitter" } ]
    }
);

I granted the user AmazonDocDBFullAccess and AmazonDocDBElasticFullAccess permissions.

Additionally, I generated an access key and secret access key for the user through the AWS console. When attempting to connect using mongosh with the command below, I encounter an authentication error:

mongosh --host 'aws-documentdb-iam-auth.cluster-<random_string>.us-east-1.docdb.amazonaws.com' --port 27017 -u '<access_key>' -p '<access_key_secret>' --authenticationDatabase '$external' --authenticationMechanism 'MONGODB-AWS'

Note: TLS is disabled for testing purposes, but the same error occurs with TLS enabled. Mongosh inputs are URL encoded.

Can anyone help me troubleshoot this authentication issue?

I have followed the documentdb IAM auth guide, but iam auth not working. I am expecting to authenticate aws documentdb using iam auth.

Topics
Security, Identity, & ComplianceDatabase
Tags
Amazon DocumentDBIAM Policies
Language
English
asked a year ago469 views
1 Answer
0

Verify IAM User Permissions: Ensure that the IAM user has the required permissions to access the DocumentDB cluster. The policies AmazonDocDBFullAccess and AmazonDocDBElasticFullAccess are broad permissions, but you may need to ensure that the IAM user also has the rds-db:connect permission specifically for your DocumentDB cluster.

Correctly Create the MongoDB User in DocumentDB:

When creating the MongoDB user with IAM authentication, ensure that the ARN is correctly specified, and no typos exist:

db.createUser({
    user: "arn:aws:iam::<account_id>:user/iam_test_user",
    mechanisms: ["MONGODB-AWS"],
    roles: [{ role: "readWrite", db: "twitter" }]
});

.** Correct Connection String and Credentials:** The connection string you use in the mongosh command should correctly match the cluster endpoint and the credentials should be URL-encoded if necessary.

Make sure you are correctly replacing <access_key> and <access_key_secret> with the IAM user's access key and secret access key. Ensure there are no leading/trailing spaces or typos.

4. Environment Variables (Alternative Method):

Instead of passing credentials directly in the command line, you can use environment variables. This can sometimes resolve issues with how credentials are passed:

export AWS_ACCESS_KEY_ID='<access_key>'
export AWS_SECRET_ACCESS_KEY='<access_key_secret>'

Then use the following command:

mongosh --host 'aws-documentdb-iam-auth.cluster-<random_string>.us-east-1.docdb.amazonaws.com' --port 27017 --authenticationDatabase '$external' --authenticationMechanism 'MONGODB-AWS'

Enable TLS:

AWS DocumentDB often requires TLS for connections, even in testing. Try enabling TLS with --tls and provide the --tlsCAFile option with the path to the AWS-provided CA certificate. This ensures the connection is secure and adheres to AWS best practices.

mongosh --host 'aws-documentdb-iam-auth.cluster-<random_string>.us-east-1.docdb.amazonaws.com' --port 27017 --authenticationDatabase '$external' --authenticationMechanism 'MONGODB-AWS' --tls --tlsCAFile rds-combined-ca-bundle.pem

** IAM Role and Policy Scope:**

If the IAM user is associated with an EC2 instance or other AWS service, ensure that the instance's IAM role has the necessary permissions and that the policy allows for IAM authentication to the DocumentDB cluster.

7. Check AWS CLI Version: Ensure you are using an updated version of the AWS CLI and SDKs, as they include the latest features and security updates needed for proper IAM authentication.

8. DocumentDB Cluster Configuration: Verify that your DocumentDB cluster is properly configured for IAM authentication. This setting must be enabled at the cluster level for IAM authentication to work.

9. Review CloudWatch Logs: Review the CloudWatch logs for your DocumentDB cluster for any specific error messages or indications of what might be failing during the connection attempt.

Please follow document

https://docs.aws.amazon.com/documentdb/latest/developerguide/iam-identity-auth.html

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content