|
4 | 4 | Authentication Mechanisms |
5 | 5 | ========================= |
6 | 6 |
|
7 | | -.. default-domain:: mongodb |
8 | | - |
9 | 7 | .. contents:: On this page |
10 | 8 | :local: |
11 | 9 | :backlinks: none |
@@ -199,22 +197,23 @@ user. |
199 | 197 | To connect to a MongoDB instance with ``MONGODB-AWS`` authentication enabled, |
200 | 198 | specify the ``MONGODB-AWS`` authentication mechanism. |
201 | 199 |
|
202 | | -The driver checks for your credentials in the following sources in the order |
203 | | -they are listed: |
| 200 | +The driver checks for your credentials in the following sources in the |
| 201 | +order listed: |
204 | 202 |
|
205 | | -1. Connection string |
206 | | -#. Environment variables |
207 | | -#. Web identity token file |
208 | | -#. AWS ECS endpoint specified in the ``AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`` |
209 | | - environment variable |
210 | | -#. AWS EC2 endpoint. For more information, see `IAM Roles for Tasks |
211 | | - <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>`_. |
| 203 | +1. Connection string. |
| 204 | +#. Environment variables. |
| 205 | +#. Web identity token file. |
| 206 | +#. AWS ECS endpoint specified in the |
| 207 | + ``AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`` environment variable. |
| 208 | +#. AWS EC2 endpoint. To learn more, see `IAM Roles for Tasks |
| 209 | + <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>`__ |
| 210 | + in the AWS documentation. |
212 | 211 |
|
213 | 212 | .. important:: |
214 | 213 |
|
215 | 214 | The driver obtains the credentials only from the first source in which they are found. |
216 | 215 | For example, if you specify your AWS credentials in the connection string, the |
217 | | - driver ignores any credentials that you have specified in environment variables. |
| 216 | + driver ignores any credentials that you specify in environment variables. |
218 | 217 |
|
219 | 218 | .. tabs:: |
220 | 219 |
|
@@ -273,17 +272,26 @@ they are listed: |
273 | 272 | .. tab:: Web Identity Token File |
274 | 273 | :tabid: web-identity-token-file |
275 | 274 |
|
276 | | - You can use the OpenID Connect (OIDC) token obtained from a web identity provider to authenticate |
277 | | - to Amazon Elastic Kubernetes Service (EKS) or other services. |
278 | | - To use an OIDC token, create a file that contains your token, then |
279 | | - set the absolute path to this file in an environment variable by using |
280 | | - a shell as shown in the following example: |
| 275 | + You can use the OpenID Connect (OIDC) token obtained from a web |
| 276 | + identity provider to authenticate to Amazon Elastic Kubernetes |
| 277 | + Service (EKS) or other services. To use an OIDC token, create or |
| 278 | + locate the file that contains your token. Then, set the following |
| 279 | + environment variables: |
| 280 | + |
| 281 | + - ``AWS_WEB_IDENTITY_TOKEN_FILE``: Set to the absolute path of the |
| 282 | + file that contains your OIDC token. |
| 283 | + |
| 284 | + - ``AWS_ROLE_ARN``: Set to the IAM role used to connect to your |
| 285 | + cluster. For example: ``arn:aws:iam::111122223333:role/my-role``. |
| 286 | + |
| 287 | + The following shell command sets these environment variables: |
281 | 288 |
|
282 | 289 | .. code-block:: bash |
283 | 290 |
|
284 | | - export AWS_WEB_IDENTITY_TOKEN_FILE=<absolute path to file containing your OIDC token> |
| 291 | + export AWS_WEB_IDENTITY_TOKEN_FILE=<absolute path to file that contains OIDC token> |
| 292 | + export AWS_ROLE_ARN=<IAM role name> |
285 | 293 |
|
286 | | - After you've set the preceding environment variable, specify the ``MONGODB-AWS`` |
| 294 | + After you set the preceding environment variables, specify the ``MONGODB-AWS`` |
287 | 295 | authentication mechanism as shown in the following example: |
288 | 296 |
|
289 | 297 | .. literalinclude:: /includes/fundamentals/code-snippets/authentication/aws-environment-variables.go |
|
0 commit comments