@@ -189,59 +189,105 @@ username and password to authenticate your user.
189189
190190.. important::
191191
192- The MONGODB-AWS authentication mechanism is only available in MongoDB
192+ The MONGODB-AWS authentication mechanism is available only in MongoDB
193193 versions 4.4 and later.
194194
195195The ``MONGODB-AWS`` authentication mechanism uses your Amazon Web Services
196196Identity and Access Management (AWS IAM) credentials to authenticate your
197197user.
198198
199- To specify the ``MONGODB-AWS`` authentication mechanism, perform the
200- following:
199+ To connect to a MongoDB instance with ``MONGODB-AWS`` authentication enabled,
200+ specify the ``MONGODB-AWS`` authentication mechanism.
201201
202- - Assign the ``AuthMechanism`` option the value ``MONGODB-AWS``
203- - Assign the ``Username`` option the value of your ``accessKeyID``
204- - Assign the ``Password`` option the value of your ``secretAccessKey``
202+ The driver checks for your credentials in the following sources in the order
203+ they are listed:
205204
206- .. code-block:: go
207- :emphasize-lines: 3, 5-6
205+ 1. Connection string
206+ #. Environment variables
207+ #. Web identity token file
208+ #. AWS ECS endpoint specified in the ``AWS_CONTAINER_CREDENTIALS_RELATIVE_URI``
209+ environment variable
210+ #. AWS EC2 endpoint. For more information, see `IAM Roles for Tasks
211+ <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>`_.
208212
209- var accessKeyID, secretAccessKey string
210- awsCredential := options.Credential{
211- AuthMechanism: "MONGODB-AWS",
212- AuthSource: "<authenticationDb>",
213- Username: "<accessKeyID>",
214- Password: "<secretAccessKey>",
215- }
216- awsIAMClient, err := mongo.Connect(
217- context.TODO(),
218- options.Client().SetAuth(awsCredential))
219- if err != nil {
220- panic(err)
221- }
222- _ = awsIAMClient
213+ .. important::
214+
215+ The driver obtains the credentials only from the first source in which they are found.
216+ For example, if you specify your AWS credentials in the connection string, the
217+ driver ignores any credentials that you have specified in environment variables.
223218
224- If you need to specify an AWS session token, use the temporary
225- credentials returned from an assume role request.
219+ .. tabs::
226220
227- To use temporary credentials, assign the ``AuthMechanismProperties``
228- option the value of your ``sessionToken``:
221+ .. tab:: Connection String
222+ :tabid: connection string
229223
230- .. code-block:: go
231- :emphasize-lines: 7-9
224+ .. tip::
232225
233- var sessionToken string
234- assumeRoleCredential := options.Credential{
235- AuthMechanism: "MONGODB-AWS",
236- AuthSource: "<authenticationDb>",
237- Username: "<accessKeyID>",
238- Password: "<secretAccessKey>",
239- AuthMechanismProperties: map[string]string{
240- "AWS_SESSION_TOKEN": "<sessionToken>",
241- },
242- }
243- assumeRoleClient, err := mongo.Connect(context.TODO(),
244- options.Client().SetAuth(assumeRoleCredential))
226+ The following examples set the appropriate credentials by using the ``SetAuth()``
227+ method. You can also specify these credentials by using the ``ApplyURI()``
228+ method. If you use the ``ApplyURI()`` method you must URL encode the username
229+ and password to ensure they are correctly parsed.
230+
231+ To connect to your MongoDB instance using your AWS IAM credentials, perform the
232+ following steps:
233+
234+ - Assign the ``AuthMechanism`` option the value ``MONGODB-AWS``
235+ - Assign the ``Username`` option the value of your ``accessKeyID``
236+ - Assign the ``Password`` option the value of your ``secretAccessKey``
237+
238+ .. literalinclude:: /includes/fundamentals/code-snippets/authentication/aws-connection-string.go
239+ :language: go
240+
241+ If you need to specify an AWS session token, use the temporary
242+ credentials returned from an `assume role request <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>`__.
243+
244+ To use temporary credentials, assign the value of your ``sessionToken`` to
245+ the ``AuthMechanismProperties`` option:
246+
247+ .. literalinclude:: /includes/fundamentals/code-snippets/authentication/aws-connection-string-session-token.go
248+ :language: go
249+
250+ .. tab:: Environment Variables
251+ :tabid: environment variables
252+
253+ To authenticate to your MongoDB instance using AWS credentials stored in
254+ environment variables, use a shell to set the variables as follows:
255+
256+ .. code-block:: bash
257+
258+ export AWS_ACCESS_KEY_ID=<awsKeyId>
259+ export AWS_SECRET_ACCESS_KEY=<awsSecretKey>
260+ export AWS_SESSION_TOKEN=<awsSessionToken>
261+
262+ .. note::
263+
264+ If you don't need an AWS session token for the role you're
265+ authenticating with, omit the line containing ``AWS_SESSION_TOKEN`` .
266+
267+ After you've set the preceding environment variables, specify the ``MONGODB-AWS``
268+ authentication mechanism as shown in the following example:
269+
270+ .. literalinclude:: /includes/fundamentals/code-snippets/authentication/aws-environment-variables.go
271+ :language: go
272+
273+ .. tab:: Web Identity Token File
274+ :tabid: web-identity-token-file
275+
276+ You can use the OpenID Connect (OIDC) token obtained from a web identity provider to authenticate
277+ to Amazon Elastic Kubernetes Service (EKS) or other services.
278+ To use an OIDC token, create a file that contains your token, then
279+ set the absolute path to this file in an environment variable by using
280+ a shell as shown in the following example:
281+
282+ .. code-block:: bash
283+
284+ export AWS_WEB_IDENTITY_TOKEN_FILE=<absolute path to file containing your OIDC token>
285+
286+ After you've set the preceding environment variable, specify the ``MONGODB-AWS``
287+ authentication mechanism as shown in the following example:
288+
289+ .. literalinclude:: /includes/fundamentals/code-snippets/authentication/aws-environment-variables.go
290+ :language: go
245291
246292.. _golang-x509:
247293
0 commit comments