Overview
The MONGODB-AWS authentication mechanism uses Amazon Web Services Identity and Access Management (AWS IAM) credentials to authenticate a user to MongoDB. You can use this mechanism only when authenticating to MongoDB Atlas.
Tip
Configure Atlas for AWS IAM Authentication
To learn more about configuring MongoDB Atlas for AWS IAM authentication, see Set Up Authentication with AWS IAM in the Atlas documentation.
Specify MONGODB-AWS Authentication
To instruct the Kotlin Sync driver to use the MONGODB-AWS authentication mechanism,
you can either specify MONGODB-AWS as a parameter in the connection string or call
the MongoCredential.createAwsCredential() factory method.
In the following sections, you can learn different ways to specify the
MONGODB-AWS authentication mechanism and provide your AWS IAM credentials.
These sections contain code examples that use the following placeholders:
awsKeyId: The value of your AWS access key IDawsSecretKey: The value of your AWS secret access keyatlasUri: The network address of your MongoDB Atlas deploymenthostname: The hostname of your MongoDB Atlas deploymentport: The port of your MongoDB Atlas deploymentawsSessionToken: The value of your AWS session token
AWS SDK
Note
End of Support for AWS SDK for Java v1
The AWS SDK for Java v1 will reach end of support on December 31, 2025. AWS recommends migrating to AWS SDK for Java v2. For more information, see the end of support announcement on the AWS site.
AWS provides software development kits (SDKs) for Java v1 and v2. The AWS SDK offers the following features:
Multiple options for obtaining credentials
Credential caching, which helps your application avoid rate limiting
Credential provider management for use with the Elastic Kubernetes Service
To use the AWS SDK for MONGODB-AWS authentication, perform
the following steps:
Specify the Authentication Mechanism
You can specify the MONGODB-AWS authentication mechanism by using a connection
string or a MongoCredential object. Select the Connection String
or the MongoCredential tab below for corresponding instructions and sample code:
To specify the MONGODB-AWS authentication mechanism in the connection string,
set the authMechanism parameter to MONGODB-AWS, as shown in the following
example:
val mongoClient = MongoClient.create("mongodb://<atlasUri>?authMechanism=MONGODB-AWS")
To specify the MONGODB-AWS authentication mechanism by using a MongoCredential
object, call the MongoCredential.createAwsCredential() factory method
and add the MongoCredential instance to your MongoClient, as shown
in the following example:
val credential = MongoCredential.createAwsCredential(null, null) val settings = MongoClientSettings.builder() .applyToClusterSettings { builder: ClusterSettings.Builder -> builder.hosts( listOf(ServerAddress("<atlasUri>")) ) } .credential(credential) .build() val mongoClient = MongoClient.create(settings)
Add the AWS SDK Dependency
To add the AWS SDK as a dependency to your project, see the following AWS documentation for the version you need:
For the AWS SDK for Java v2, see the Setting Up guide.
For the AWS SDK for Java v1, see the Getting Started guide.
Note
For the AWS SDK for Java v2, the Java driver tests by using the
software.amazon.awssdk:auth:2.30.31 dependency.
For the AWS SDK for Java v1, the Java driver tests by using the
com.amazonaws:aws-java-sdk-core:1.12.782 dependency.
Supply Your Credentials
To supply your credentials, see the following AWS documentation for the version you need:
To learn more about the AWS SDK for Java v2 class the driver uses to get the credentials, see the DefaultCredentialsProvider API documentation.
Learn how to supply your credentials to this class from the Use the default credential provider chain section.
To learn more about the AWS SDK for Java v1 class the driver uses to get the credentials, see the DefaultAWSCredentialsProviderChain API documentation.
Learn how to supply your credentials to this class from the Using the Default Credential Provider Chain section.
Note
If you include both v1 and v2 of the AWS SDK for Java in your project, you must use the v2 methods to supply your credentials.
Specify Your Credentials in the Environment
You can provide your AWS IAM credentials by instructing the driver to
use the MONGODB-AWS authentication mechanism and by setting the
appropriate environment variables.
To use the environment variables to supply your credentials, perform the following steps:
Specify the Authentication Mechanism
You can specify the MONGODB-AWS authentication mechanism by using a
MongoCredential object or in the connection string.
To specify the authentication mechanism by using a MongoCredential object,
call the MongoCredential.createAwsCredential() factory method and add the
MongoCredential instance to your MongoClient, as shown in the following
example:
val credential = MongoCredential.createAwsCredential(null, null) val settings = MongoClientSettings.builder() .applyToClusterSettings { builder: ClusterSettings.Builder -> builder.hosts( listOf(ServerAddress("<atlasUri>")) ) } .credential(credential) .build() val mongoClient = MongoClient.create(settings)
To specify the MONGODB-AWS authentication mechanism in the connection
string, add it as a parameter as shown in the following example:
val mongoClient = MongoClient.create("mongodb://<atlasUri>?authMechanism=MONGODB-AWS")
Set Environment Variables
This section shows how to provide your credentials by setting environment variables for the following types of authentication:
Programmatic access keys
ECS container credentials
EC2 container credentials
The following example shows how you can set your programmatic access keys
in environment variables by using bash or a similar shell:
export AWS_ACCESS_KEY_ID=<awsKeyId> export AWS_SECRET_ACCESS_KEY=<awsSecretKey> export AWS_SESSION_TOKEN=<awsSessionToken>
Omit the line that sets the AWS_SESSION_TOKEN variable if you don't need an AWS
session token for that role.
To authenticate by using ECS container credentials, set the ECS
endpoint relative URI in an environment variable by using bash or
a similar shell, as shown in the following example:
export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=<your ECS endpoint>
To authenticate by using EC2 container credentials, do not set the AWS environment variables. The driver obtains the credentials from the default IPv4 EC2 instance metadata endpoint.
Specify Your Credentials in a MongoCredential
You can supply your AWS IAM credentials to a MongoClient by using a
MongoCredential instance. To construct the MongoCredential instance
for MONGODB-AWS authentication, call the
createAwsCredential()
factory method.
Tip
You can supply only programmatic access keys to the
MongoCredential.createAwsCredential() method. If you must supply ECS
or EC2 container credentials, follow the instructions in
Specify Your Credentials in the Environment.
To use a MongoCredential object for MONGODB-AWS authentication, perform
the following steps:
Specify the authentication mechanism.
Supply the credentials.
To specify the authentication mechanism by using a MongoCredential object,
call the MongoCredential.createAwsCredential() factory method
and add the MongoCredential instance to your MongoClient, as shown
in the following example:
val credential = MongoCredential.createAwsCredential("<awsKeyId>", "<awsSecretKey>".toCharArray()) val settings = MongoClientSettings.builder() .applyToClusterSettings { builder: ClusterSettings.Builder -> builder.hosts( listOf(ServerAddress("<atlasUri>")) ) } .credential(credential) .build() val mongoClient = MongoClient.create(settings)
If you must specify an AWS session token, pass it to the withMechanismProperty() method, as shown in the following example:
val credential = MongoCredential.createAwsCredential("<awsKeyId>", "<awsSecretKey>".toCharArray()) .withMechanismProperty("AWS_SESSION_TOKEN", "<awsSessionToken>") val settings = MongoClientSettings.builder() .applyToClusterSettings { builder: ClusterSettings.Builder -> builder.hosts( listOf(ServerAddress("<atlasUri>")) ) } .credential(credential) .build() val mongoClient = MongoClient.create(settings)
To refresh your credentials, you can declare a Supplier lambda expression
that returns new credentials, as shown in the following example:
val awsFreshCredentialSupplier: Supplier<AwsCredential> = Supplier { // Add your code here to fetch new credentials // Return the new credentials AwsCredential("<awsKeyId>", "<awsSecretKey>", "<awsSessionToken>") } val credential = MongoCredential.createAwsCredential("<awsKeyId>", "<awsSecretKey>".toCharArray()) .withMechanismProperty(MongoCredential.AWS_CREDENTIAL_PROVIDER_KEY, awsFreshCredentialSupplier) val settings = MongoClientSettings.builder() .applyToClusterSettings { builder -> builder.hosts(listOf(ServerAddress("<hostname>", <port>))) } .credential(credential) .build() val mongoClient = MongoClient.create(settings)
If you must provide AWS IAM credentials in a connection string, you can add
it to your MongoClientSettings object by calling the applyConnectionString()
method:
val credential = MongoCredential.createAwsCredential("<awsKeyId>", "<awsSecretKey>".toCharArray()) val connectionString = ConnectionString("mongodb://<atlasUri>/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<awsSessionToken>") val settings = MongoClientSettings.builder() .applyConnectionString(connectionString) .credential(credential) .build() val mongoClient = MongoClient.create(settings)
Additional Information
To learn more about authenticating to MongoDB, see Authentication in the MongoDB Server manual.
To learn more about creating a MongoClient object by using the
Kotlin Sync driver, see the Create a MongoClient guide.