Docs Menu
Docs Home
/ /

AWS Identity and Access Management

The MONGODB-AWS authentication mechanism uses Amazon Web Services Identity and Access Management (AWS IAM) or AWS Lambda credentials to authenticate a user to MongoDB. You can use this mechanism only when authenticating to MongoDB Atlas.

Tip

Configure Atlas for AWS IAM Authentication

To learn more about configuring MongoDB Atlas for AWS IAM authentication, see Set Up Authentication with AWS IAM in the Atlas documentation.

The code examples on this page use the following placeholders:

  • <hostname>: The network address of your MongoDB Atlas deployment

  • <AWS IAM access key ID>: Your AWS access key ID

  • <AWS IAM secret access key>: Your AWS secret access key

  • <AWS session token>: Your AWS session token

To use the code examples on this page, replace these placeholders with your own values.

Important

Percent-Encoding

You must percent-encode a username and password before you include them in a MongoDB URI. The quote_plus() method, available in the urllib.parse module, is one way to perform this task. For example, calling quote_plus("and / or") returns the string and+%2F+or.

Don't percent-encode the username or password when passing them as arguments to MongoClient.

To use AWS IAM authentication, you must install PyMongo with the aws option, as shown in the following example:

python -m pip install pymongo[aws]

PyMongo uses Boto3, the AWS SDK for Python, to handle credentials. Boto3 tries to retrieve AWS credentials from the following sources, in the order listed:

  1. Named arguments passed to the MongoClient constructor or parameters in the connection string

  2. Environment variables

  3. Shared credentials file

  4. AWS config file

  5. AssumeRole request to the AWS Security Token Service (STS)

  6. AssumeRoleWithWebIdentity request to the AWS STS

  7. Instance metadata service on an Amazon EC2 instance with an IAM role configured

The following sections describe how to use PyMongo to retrieve credentials from these sources and use them to authenticate your application.

First, PyMongo checks whether you passed AWS credentials to the MongoClient constructor, either as a named argument or as part of the connection string. To pass your credentials to MongoClient, set the following connection options:

  • username: The AWS IAM access key ID to authenticate. Percent-encode this value before including it in a connection string.

  • password: The AWS IAM secret access key. Percent-encode this value before including it in a connection string.

  • authMechanism: Set to "MONGODB-AWS".

You can set these options in two ways: by passing arguments to the MongoClient constructor or through parameters in your connection string.

client = pymongo.MongoClient("mongodb+srv://<hostname>",
username="<AWS IAM access key ID>",
password="<AWS IAM secret access key>",
authMechanism="MONGODB-AWS")
uri = ("mongodb+srv://<percent-encoded AWS IAM access key ID>:"
"<percent-encoded AWS IAM secret access key>"
"@<hostname>/?"
"&authMechanism=MONGODB-AWS")
client = pymongo.MongoClient(uri)

If you don't provide a username and password when you construct your MongoClient object, PyMongo tries to retrieve AWS credentials from the following environment variables:

  • AWS_ACCESS_KEY_ID

  • AWS_SECRET_ACCESS_KEY

  • AWS_SESSION_TOKEN

To use these environment variables to authenticate your application, first set them to the AWS IAM values needed for authentication, as shown in the following code example:

export AWS_ACCESS_KEY_ID=<AWS IAM access key ID>
export AWS_SECRET_ACCESS_KEY=<AWS IAM secret access key>
export AWS_SESSION_TOKEN=<AWS session token>

Important

Don't percent-encode the values in these environment variables.

After you set these environment variables, set the authMechanism connection option to "MONGODB-AWS". You can set this option in two ways: by passing an argument to the MongoClient constructor or through a parameter in your connection string.

client = pymongo.MongoClient("mongodb+srv://<hostname>",
authMechanism="MONGODB-AWS")
uri = "mongodb+srv://<hostname>/?&authMechanism=MONGODB-AWS"
client = pymongo.MongoClient(uri)

Tip

AWS Lambda

AWS Lambda runtimes can automatically set these environment variables during initialization. For more information about using environment variables in an AWS Lambda environment, see Using Lambda environment variables in the AWS documentation.

If PyMongo doesn't find AWS credentials in the preceding environment variables, it tries to read them from a shared credentials file.

To use a shared credentials file to authenticate your application, ensure that the file exists in your environment and is configured correctly. To learn how to create a shared credentials file, see Credentials in the Boto3 documentation and Configuration in the AWS documentation.

After you create the shared credentials file, set the authMechanism connection option to "MONGODB-AWS". You can set this option in two ways: by passing an argument to the MongoClient constructor or through a parameter in your connection string.

client = pymongo.MongoClient("mongodb+srv://<hostname>",
authMechanism="MONGODB-AWS")
uri = "mongodb+srv://<hostname>/?&authMechanism=MONGODB-AWS"
client = pymongo.MongoClient(uri)

Tip

To prevent PyMongo from using a shared credentials file for authentication, perform one of the following actions:

  • Set the AWS_SHARED_CREDENTIALS_FILE environment variable to "" in your terminal.

  • Add os.environ["AWS_SHARED_CREDENTIALS_FILE"] = "" to your script or application.

  • Create an AWS profile specifically for your MongoDB credentials. Set the AWS_PROFILE environment variable to the name of the profile you created.

If PyMongo doesn't find credentials in the shared credentials file, it tries to read them from an AWS config file.

To use an AWS config file to authenticate your application, ensure that the file exists in your environment and is configured correctly. To learn how to create an AWS config file, see Credentials in the Boto3 documentation and Configuration in the AWS documentation.

After you create the config file, set the authMechanism connection option to "MONGODB-AWS". You can set this option in two ways: by passing an argument to the MongoClient constructor or through a parameter in your connection string.

client = pymongo.MongoClient("mongodb+srv://<hostname>",
authMechanism="MONGODB-AWS")
uri = "mongodb+srv://<hostname>/?&authMechanism=MONGODB-AWS"
client = pymongo.MongoClient(uri)

Instead of storing AWS credentials in your AWS config file, you can instruct PyMongo to make an AssumeRole request to an AWS STS endpoint. This request returns temporary credentials that your application can use for authentication.

To authenticate with temporary AWS IAM credentials returned by an AssumeRole request, ensure that the AWS config file exists in your environment and is configured correctly. To learn how to create and configure an AWS config file, see Credentials in the Boto3 documentation and Configuration in the AWS documentation.

After you create the config file, set the following connection options:

  • username: The AWS IAM access key ID to authenticate returned by the AssumeRole request. Percent-encode this value before including it in a connection string.

  • password: The AWS IAM secret access key returned by the AssumeRole request. Percent-encode this value before including it in a connection string.

  • authMechanismProperties: Set to AWS_SESSION_TOKEN: and the AWS session token returned by the AssumeRole request.

  • authMechanism: Set to "MONGODB-AWS".

You can set these options in two ways: by passing arguments to the MongoClient constructor or through parameters in your connection string.

Note

If your authMechanismProperties values include a comma, you must use the MongoClient constructor to set your authentication options.

client = pymongo.MongoClient("mongodb+srv://@<hostname>",
username="<AWS IAM access key ID>",
password="<AWS IAM secret access key>",
authMechanismProperties="AWS_SESSION_TOKEN:<AWS session token>",
authMechanism="MONGODB-AWS")
uri = ("mongodb+srv://<percent-encoded AWS IAM access key ID>:"
"<percent-encoded AWS IAM secret access key>"
"@<hostname>/?"
"authMechanismProperties=AWS_SESSION_TOKEN:<AWS session token>"
"&authMechanism=MONGODB-AWS")
client = pymongo.MongoClient(uri)

For more information about using the AssumeRole request to authenticate your application, see the following AWS documentation:

Important

Your application must use pymongo_auth_aws v1.1.0 or later for EKS support.

If your application authenticates users for your EKS cluster from an OpenID Connect (OIDC) identity provider, PyMongo can make an AssumeRoleWithWebIdentity request to exchange the OIDC token for temporary AWS credentials for your application.

To authenticate with temporary AWS IAM credentials returned by an AssumeRoleWithWebIdentity request, ensure that the AWS config file exists in your environment and is configured correctly. To learn how to create and configure an AWS config file, see Credentials in the Boto3 documentation and Configuration in the AWS documentation.

After you configure your environment for an AssumeRoleWithWebIdentity request, set the authMechanism connection option to "MONGODB-AWS". You can set this option in two ways: by passing an argument to the MongoClient constructor or through a parameter in your connection string.

client = pymongo.MongoClient("mongodb+srv://<hostname>",
authMechanism="MONGODB-AWS")
uri = "mongodb+srv://<hostname>/?&authMechanism=MONGODB-AWS"
client = pymongo.MongoClient(uri)

For more information about using an AssumeRoleWithWebIdentity request to authenticate your application, see the following AWS documentation:

If your application runs in an Amazon Elastic Cloud Compute (EC2) instance in an Elastic Container Service (ECS) container, PyMongo can automatically retrieve temporary AWS credentials from an ECS endpoint.

To use temporary credentials from within an EC2 instance, set the authMechanism connection option to "MONGODB-AWS". You can set this option in two ways: by passing an argument to the MongoClient constructor or through a parameter in your connection string.

client = pymongo.MongoClient("mongodb+srv://<hostname>",
authMechanism="MONGODB-AWS")
uri = "mongodb+srv://<hostname>/?&authMechanism=MONGODB-AWS"
client = pymongo.MongoClient(uri)

To learn more about authenticating your application in PyMongo, see the following API documentation:

Back

X.509

On this page