Navigation

Set Up Passwordless Authentication with AWS IAM

On this page

You can set up a database user to use an AWS IAM user ARN for authentication. You can connect to your database using mongosh and drivers and authenticate using your AWS IAM user ARN. Using AWS IAM role reduces the number of authentication mechanisms and number of secrets to manage. You can configure AWS IAM to not require a username or password to authenticate, thus making it a passwordless mechanism. The secret key that you use instead for authentication is not sent over the wire to Atlas and is not persisted by the driver, thus making AWS IAM suitable for even the most sensitive situations.

For AWS Lambda and HTTP (ECS and EC2), drivers automatically read from the environment variables. For AWS EKS, you must manually assign the IAM role. This page describes how AWS Lambda, AWS ECS, and AWS EKS can connect using an AWS IAM role.

Note

You must assign an IAM role to Lambda, EC2, ECS, or EKS in the AWS console.

AWS Lambda passes information to functions through the following environment variables if you assign an execution role to the lambda function:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_SESSION_TOKEN

To learn more about these environment variables, see Using AWS Lambda environment variables.

AWS ECS gets the credentials from the following URI:

http://169.254.170.2 + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is an environment variable. To learn more, see IAM Roles for Tasks.

AWS EC2 gets the credentials from Instance Metadata Service V2 at the following URL:

http://169.254.169.254/latest/meta-data/iam/security-credentials/

To learn more, see Launch an instance with an IAM role.

For AWS EKS, you must assign the IAM role to the pod to set up the following environment variables and assume the role manually:

  • AWS_WEB_IDENTITY_TOKEN_FILE - contains the path to the web identity tokem file.
  • AWS_ROLE_SESSION_NAME - cotains the name applied to this assume-role session

To assume the role manually:

  1. Use the AWS SDK to call AssumeRoleWithWebIdentity.
  2. Pass the credentials to the MongoDB driver through the URI.
Tip
See also:
Give Feedback

On this page

  • AWS Lambda
  • AWS ECS
  • AWS EKS