In this article, we will walk through on how to setup MongoDB AWS IAM passwordless authentication mechanism to connect to your MongoDB Atlas cluster.
MongoDB introduced the MONGODB-AWS authentication mechanism for MongoDB version 4.4 and above. It uses your Amazon Web Services IAM (Identity and Access Management) credentials to authenticate your user.
The connection string for MongoDB-AWS mechanism is generated with a security token for which you can define the time to live. This way you can ensure that the access is limited and not taken advantage of for anything else.
When you pass a connection string for MongoDB-AWS, the driver will seamlessly use the temporary credentials for you. It is also designed for the most sensitive security situations. The secret key is never directly passed to the MongoDB Atlas clusters and it’s never persisted by the driver.
Configure AWS environment
- Set up a VPC in AWS so that you can launch an instance in it and use it to connect to the MongoDB Atlas cluster.
- Next, launch an instance in the same VPC and install MongoDB client.
- Create and attach an IAM role to this instance so that you can use the role to configure MongoDB-AWS IAM authentication and connect to the database from the instance.
- Copy the ARN of the role you created so that we can start setting up MongoDB.
Configure MongoDB Atlas
- In the MongoDB Atlas dashboard, go to Database Access under Security and choose Add New Database User.
- Choose AWS IAM, select the AWS IAM type as IAM Role, paste the ARN you copied in Step 4 in the associated field and click Add user.
- Now let's try connecting to our MongoDB.
Go to the Database section and click on Connect.
- If you choose to connect your application to your cluster using MongoDB’s native drivers, you will be able to see a connection string format and notice that it has an
AWS_SESSION_TOKENin the end. This is a part of the temporary credentials that will be required when you try connecting to MongoDB.
Read the discussion here for more info.
- Since you have an EC2 role assigned to the instance, you don't need to pass the temporary credentials manually. It'll be done automatically when you connect to the MongoDB cluster using the Mongo client.
SSH into your instance and simply run the above command after replacing
db_urlwith appropriate value to connect to your Atlas cluster.
- If you want to connect to your Atlas cluster from elsewhere, make sure you have the required permission to generate a session token and then run:
This will generate temporary credentials which you can use for a fixed time (Here, 900 seconds) to connect to your cluster. Make sure to change the IAM Role ARN appropriately before you run the command(Step 2).
aws sts get-session-token --duration-seconds 900
- After you generate the credentials, you can replace the values
<AWS access key>,
<AWS secret key>,
<session token (for AWS IAM Roles)>with the values from the previous step.
mongosh "mongodb+srv://<your_db_url>/?authSource=%24external&authMechanism=MONGODB-AWS" --apiVersion 1 --username <AWS access key> --password <AWS secret key> --awsIamSessionToken <session token (for AWS IAM Roles)>
Great job! Now you will be able to access your MongoDB Atlas cluster using AWS IAM passwordless mechanism.
See you in the next article.