Skip to content

Atlas aws auth

MongoDB Atlas Connection Stringยถ

mongosh "mongodb+srv://<atlas-host-name>/test?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:$AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE&appName=dev-us"
Connection string breakdown:

  • mongodb+srv://<atlas-host-name>/test: This is the base connection string for connecting to the MongoDB Atlas cluster. Replace <atlas-host-name> with the actual host name of your Atlas cluster.
  • test: This is the default collection (database) to connect to. You can change it to your desired collection.
  • ?authSource=%24external: This query parameter specifies that the authentication source is the external authentication mechanism (AWS IAM in this case).
  • &authMechanism=MONGODB-AWS: This query parameter specifies that the authentication mechanism is AWS IAM.
  • &retryWrites=true: This query parameter enables retryable writes.
  • &w=majority: This query parameter sets the write concern to "majority".
  • &authMechanismProperties=AWS_SESSION_TOKEN:$AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE: This query parameter specifies the AWS session token to use for authentication.
  • &appName=dev-us: This query parameter sets the application name, for audit and logging.

๐Ÿ”— Links https://www.mongodb.com/docs/atlas/security/aws-iam-authentication/#std-label-passwordless-auth-aws-no-saml

https://www.mongodb.com/docs/manual/tutorial/configure-ssl/#std-label-ssl-mongod-ssl-cert-key

https://www.mongodb.com/docs/manual/reference/connection-string-options/#std-label-connections-connection-options

MongoDB Atlas - AWS IAM Authentication DEV-USยถ
spring.data.mongodb.uri=mongodb+srv://dev-us.zcey4.mongodb.net/?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:$AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE&appName=dev-us
MongoDB Atlas - AWS IAM Authentication ATnTยถ
spring.data.mongodb.uri=mongodb+srv://atnt-pl-0-us-east-1-lb.bw4zj.mongodb.net/?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:$AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE&appName=ATnT
AWS Permissions to assume role:ยถ

eks-auth:AssumeRoleForPodIdentity

Otherwise you will get the following error:

"errorMessage": "User: arn:aws:sts::345594589655:assumed-role/eks_worker_role-us-east-1/i-0aaa9cd51890a6652 is not authorized to perform: eks-auth:AssumeRoleForPodIdentity on resource: arn:aws:eks:us-east-1:345594589655:cluster/atnt-east-prod with an explicit deny in a service control policy"