Set Up Passwordless Authentication with AWS IAM¶
You can set up a database user to use an AWS IAM user ARN for
authentication. You can connect to your database using
and drivers and authenticate using your AWS IAM user ARN.
Using AWS IAM role reduces the number of authentication mechanisms
and number of secrets to manage. You can configure AWS IAM to not
require a username or password to authenticate, thus making it a
passwordless mechanism. The secret key that you use instead for
authentication is not sent over the wire to Atlas and is not
persisted by the driver, thus making AWS IAM suitable for even the
most sensitive situations.
For AWS Lambda and HTTP (ECS and EC2), drivers automatically read from the environment variables. For AWS EKS, you must manually assign the IAM role. This page describes how AWS Lambda, AWS ECS, and AWS EKS can connect using an AWS IAM role.
You must assign an IAM role to Lambda, EC2, ECS, or EKS in the AWS console.
AWS Lambda passes information to functions through the following environment variables if you assign an execution role to the lambda function:
To learn more about these environment variables, see Using AWS Lambda environment variables.
AWS ECS gets the credentials from the following URI:
http://169.254.170.2 + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is an environment variable.
To learn more, see IAM Roles for Tasks.
AWS EC2 gets the credentials from Instance Metadata Service V2 at the following URL:
To learn more, see Launch an instance with an IAM role.
For AWS EKS, you must assign the IAM role to the pod to set up the following environment variables and assume the role manually:
AWS_WEB_IDENTITY_TOKEN_FILE- contains the path to the web identity tokem file.
AWS_ROLE_SESSION_NAME- cotains the name applied to this assume-role session
To assume the role manually:
- Use the AWS SDK to call AssumeRoleWithWebIdentity.
- Pass the credentials to the MongoDB driver through the URI.