From 30808ebd1269b52b811d6475a31a2cdf4ba280c1 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Tue, 30 Sep 2025 15:13:23 +0200 Subject: [PATCH 01/11] DRIVERS-3131: No URI credentials with MONGODB-AWS --- source/auth/auth.md | 39 +++++++------------ .../auth/tests/legacy/connection-string.json | 15 +++++++ .../auth/tests/legacy/connection-string.yml | 12 ++++++ source/auth/tests/mongodb-aws.md | 6 +-- 4 files changed, 43 insertions(+), 29 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 971c01ba0b..4c5a25a87a 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -957,7 +957,9 @@ Examples are provided below. - AWS_SESSION_TOKEN - Drivers MUST allow the user to specify an AWS session token for authentication with temporary credentials. + Drivers MAY allow an AWS session token for authentication with temporary credentials to exist in their API, + internally, but MUST raise an error if the user provided it explicitly via the URI or client options. This + property MUST NOT exist in the public API. - AWS_CREDENTIAL_PROVIDER @@ -1011,11 +1013,10 @@ Drivers MAY expose API for default providers for the following scenarios when ap The order in which Drivers MUST search for credentials is: -1. The URI -2. A custom AWS credential provider if the driver supports it. -3. Environment variables -4. Using `AssumeRoleWithWebIdentity` if `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` are set. -5. The ECS endpoint if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is set. Otherwise, the EC2 endpoint. +1. A custom AWS credential provider if the driver supports it. +2. Environment variables +3. Using `AssumeRoleWithWebIdentity` if `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` are set. +4. The ECS endpoint if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is set. Otherwise, the EC2 endpoint. > [!NOTE] > See *Should drivers support accessing Amazon EC2 instance metadata in Amazon ECS* in [Q & A](#q-and-a) @@ -1025,32 +1026,16 @@ The order in which Drivers MUST search for credentials is: > description of `AssumeRole` below, which is distinct from `AssumeRoleWithWebIdentity` requests that are meant to be > handled directly by the driver. -##### URI - -An example URI for authentication with MONGODB-AWS using AWS IAM credentials passed through the URI is as follows: - -```javascript -"mongodb://:@mongodb.example.com/?authMechanism=MONGODB-AWS" -``` - -Users MAY have obtained temporary credentials through an -[AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) request. If so, then in addition -to a username and password, users MAY also provide an `AWS_SESSION_TOKEN` as a `mechanism_property`. - -```javascript -"mongodb://:@mongodb.example.com/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:" -``` - ##### Environment variables AWS Lambda runtimes set several [environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime) during initialization. To support AWS Lambda runtimes Drivers MUST check a subset of these variables, i.e., `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`, for the access key ID, secret access key and -session token, respectively if AWS credentials are not explicitly provided in the URI. The `AWS_SESSION_TOKEN` may or -may not be set. However, if `AWS_SESSION_TOKEN` is set Drivers MUST use its value as the session token. Drivers -implemented in programming languages that support altering environment variables MUST always read environment variables -dynamically during authorization, to handle the case where another part the application has refreshed the credentials. +session token, respectively. The `AWS_SESSION_TOKEN` may or may not be set. However, if `AWS_SESSION_TOKEN` is set Drivers +MUST use its value as the session token. Drivers implemented in programming languages that support altering environment +variables MUST always read environment variables dynamically during authorization, to handle the case where another part the +application has refreshed the credentials. However, if environment variables are not present during initial authorization, credentials may be fetched from another source and cached. Even if the environment variables are present in subsequent authorization attempts, the driver MUST @@ -2165,6 +2150,8 @@ practice to avoid this. (See ## Changelog +- 2025-09-30: Remove credentials URI support for MONGODDB-AWS. + - 2025-09-10: Update precedence of MONGODB-AWS credential fetching behaviour. - 2025-01-29: Add support for custom AWS credential providers. diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 3a099c8137..7582639566 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -440,6 +440,21 @@ } } }, + { + "description": "should throw an exception if username provided (MONGODB-AWS) implies default mechanism)", + "uri": "mongodb://user:localhost.com/", + "valid": false + }, + { + "description": "should throw an exception if username and password provided (MONGODB-AWS) implies default mechanism)", + "uri": "mongodb://user@pass:localhost.com/", + "valid": false + }, + { + "description": "should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS) implies default mechanism)", + "uri": "mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token", + "valid": false + }, { "description": "should recognise the mechanism with test environment (MONGODB-OIDC)", "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test", diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index 1f5d470041..14c0fdd9e3 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -320,6 +320,18 @@ tests: mechanism: MONGODB-AWS mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ +- description: should throw an exception if username provided (MONGODB-AWS) + implies default mechanism) + uri: mongodb://user:localhost.com/ + valid: false +- description: should throw an exception if username and password provided (MONGODB-AWS) + implies default mechanism) + uri: mongodb://user@pass:localhost.com/ + valid: false +- description: should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS) + implies default mechanism) + uri: mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token + valid: false - description: should recognise the mechanism with test environment (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test valid: true diff --git a/source/auth/tests/mongodb-aws.md b/source/auth/tests/mongodb-aws.md index d828f7a8fe..3e103b1672 100644 --- a/source/auth/tests/mongodb-aws.md +++ b/source/auth/tests/mongodb-aws.md @@ -59,11 +59,11 @@ Expect authentication to succeed and the custom credential provider was called. ## Regular credentials -Drivers MUST be able to authenticate by providing a valid access key id and secret access key pair as the username and -password, respectively, in the MongoDB URI. An example of a valid URI would be: +Drivers MUST be able to authenticate when a valid access key id and secret access key pair are present in the +environment. Drivers MUST provide the --nouri option to aws_tester.py in drivers-evergreen-tools for this test. ```text -mongodb://:@localhost/?authMechanism=MONGODB-AWS +mongodb://localhost/?authMechanism=MONGODB-AWS ``` ## EC2 Credentials From 8ed234a19ba5615af7c2ba3f90df0a3d91c0bb0c Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Tue, 30 Sep 2025 18:17:17 +0200 Subject: [PATCH 02/11] fix: lint --- source/auth/auth.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 4c5a25a87a..0e9f10a798 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1032,10 +1032,10 @@ AWS Lambda runtimes set several [environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime) during initialization. To support AWS Lambda runtimes Drivers MUST check a subset of these variables, i.e., `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`, for the access key ID, secret access key and -session token, respectively. The `AWS_SESSION_TOKEN` may or may not be set. However, if `AWS_SESSION_TOKEN` is set Drivers -MUST use its value as the session token. Drivers implemented in programming languages that support altering environment -variables MUST always read environment variables dynamically during authorization, to handle the case where another part the -application has refreshed the credentials. +session token, respectively. The `AWS_SESSION_TOKEN` may or may not be set. However, if `AWS_SESSION_TOKEN` is set +Drivers MUST use its value as the session token. Drivers implemented in programming languages that support altering +environment variables MUST always read environment variables dynamically during authorization, to handle the case where +another part the application has refreshed the credentials. However, if environment variables are not present during initial authorization, credentials may be fetched from another source and cached. Even if the environment variables are present in subsequent authorization attempts, the driver MUST From 51184d33e22dffec15f251100a21f9cbcb9ea4ac Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Tue, 30 Sep 2025 18:29:27 +0200 Subject: [PATCH 03/11] chore: add note on error cases --- source/auth/auth.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 0e9f10a798..81f7945c35 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -972,11 +972,8 @@ Examples are provided below. Drivers will need AWS IAM credentials (an access key, a secret access key and optionally a session token) to complete the steps in the [Signature Version 4 Signing Process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html?shortFooter=true). -If a username and password are provided drivers MUST use these for the AWS IAM access key and AWS IAM secret key, -respectively. If, additionally, a session token is provided Drivers MUST use it as well. If a username is provided -without a password (or vice-versa) or if *only* a session token is provided Drivers MUST raise an error. In other words, -regardless of how Drivers obtain credentials the only valid combination of credentials is an access key ID and a secret -access key or an access key ID, a secret access key and a session token. +These values MUST be present in the environment or be retrieved via the optional AWS SDK. If credentials are provided +in the URI or client options, the driver MUST raise an error. AWS recommends using an SDK to "take care of some of the heavy lifting necessary in successfully making API calls, including authentication, retry behavior, and more". From df19d5086d829c80b93675dac2d9aea0408a2ce4 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Tue, 30 Sep 2025 18:34:10 +0200 Subject: [PATCH 04/11] fix: lint --- source/auth/auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 81f7945c35..93a7eaa01a 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -972,8 +972,8 @@ Examples are provided below. Drivers will need AWS IAM credentials (an access key, a secret access key and optionally a session token) to complete the steps in the [Signature Version 4 Signing Process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html?shortFooter=true). -These values MUST be present in the environment or be retrieved via the optional AWS SDK. If credentials are provided -in the URI or client options, the driver MUST raise an error. +These values MUST be present in the environment or be retrieved via the optional AWS SDK. If credentials are provided in +the URI or client options, the driver MUST raise an error. AWS recommends using an SDK to "take care of some of the heavy lifting necessary in successfully making API calls, including authentication, retry behavior, and more". From 8a8ecaf98d97eb56d38637ef1b6928f5e9d16250 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Wed, 1 Oct 2025 12:41:19 +0200 Subject: [PATCH 05/11] chore: comments --- source/auth/auth.md | 14 +++++--------- source/auth/tests/legacy/connection-string.json | 6 +++--- source/auth/tests/legacy/connection-string.yml | 3 --- 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 93a7eaa01a..6144c9e725 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -955,12 +955,6 @@ Examples are provided below. - mechanism_properties - - AWS_SESSION_TOKEN - - Drivers MAY allow an AWS session token for authentication with temporary credentials to exist in their API, - internally, but MUST raise an error if the user provided it explicitly via the URI or client options. This - property MUST NOT exist in the public API. - - AWS_CREDENTIAL_PROVIDER An AWS [Custom Credential Provider](#custom-credential-providers) that returns AWS credentials. Drivers MAY allow @@ -972,8 +966,10 @@ Examples are provided below. Drivers will need AWS IAM credentials (an access key, a secret access key and optionally a session token) to complete the steps in the [Signature Version 4 Signing Process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html?shortFooter=true). -These values MUST be present in the environment or be retrieved via the optional AWS SDK. If credentials are provided in -the URI or client options, the driver MUST raise an error. +Regardless of how Drivers obtain credentials the only valid combination of credentials is an access key ID and a secret +access key or an access key ID, a secret access key and a session token. These values MUST be present in the environment +or be retrieved via the optional AWS SDK. If credentials are provided in the URI or client options, the driver MUST raise +an error. AWS recommends using an SDK to "take care of some of the heavy lifting necessary in successfully making API calls, including authentication, retry behavior, and more". @@ -2147,7 +2143,7 @@ practice to avoid this. (See ## Changelog -- 2025-09-30: Remove credentials URI support for MONGODDB-AWS. +- 2025-09-30: Remove support for explicitly specifying MONGODDB-AWS authentication properties. - 2025-09-10: Update precedence of MONGODB-AWS credential fetching behaviour. diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 7582639566..9f5af9ea69 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -441,17 +441,17 @@ } }, { - "description": "should throw an exception if username provided (MONGODB-AWS) implies default mechanism)", + "description": "should throw an exception if username provided (MONGODB-AWS)", "uri": "mongodb://user:localhost.com/", "valid": false }, { - "description": "should throw an exception if username and password provided (MONGODB-AWS) implies default mechanism)", + "description": "should throw an exception if username and password provided (MONGODB-AWS)", "uri": "mongodb://user@pass:localhost.com/", "valid": false }, { - "description": "should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS) implies default mechanism)", + "description": "should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS)", "uri": "mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token", "valid": false }, diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index 14c0fdd9e3..4b643b0d8a 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -321,15 +321,12 @@ tests: mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ - description: should throw an exception if username provided (MONGODB-AWS) - implies default mechanism) uri: mongodb://user:localhost.com/ valid: false - description: should throw an exception if username and password provided (MONGODB-AWS) - implies default mechanism) uri: mongodb://user@pass:localhost.com/ valid: false - description: should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS) - implies default mechanism) uri: mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token valid: false - description: should recognise the mechanism with test environment (MONGODB-OIDC) From 6633b5a54487d1e109d50ce87567078eeea29332 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Wed, 1 Oct 2025 12:44:31 +0200 Subject: [PATCH 06/11] chore: comments --- source/auth/tests/mongodb-aws.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/auth/tests/mongodb-aws.md b/source/auth/tests/mongodb-aws.md index 3e103b1672..5048e9792a 100644 --- a/source/auth/tests/mongodb-aws.md +++ b/source/auth/tests/mongodb-aws.md @@ -95,11 +95,11 @@ mongodb://localhost/?authMechanism=MONGODB-AWS ## AssumeRole Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary -credentials consist of an access key ID, a secret access key, and a security token passed into the URI. A sample URI -would be: +credentials consist of an access key ID, a secret access key, and a security token passed into the URI. Drivers MUST provide +the --nouri option to aws_tester.py in drivers-evergreen-tools for this test. A sample URI would be: ```text -mongodb://:@localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN: +mongodb://localhost/?authMechanism=MONGODB-AWS ``` ## Assume Role with Web Identity From aad1e8a6568e87c9923ea5365a92c94e87cedff9 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Wed, 1 Oct 2025 12:47:48 +0200 Subject: [PATCH 07/11] fix: lint --- source/auth/auth.md | 4 ++-- source/auth/tests/mongodb-aws.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 6144c9e725..e55886d184 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -968,8 +968,8 @@ the steps in the [Signature Version 4 Signing Process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html?shortFooter=true). Regardless of how Drivers obtain credentials the only valid combination of credentials is an access key ID and a secret access key or an access key ID, a secret access key and a session token. These values MUST be present in the environment -or be retrieved via the optional AWS SDK. If credentials are provided in the URI or client options, the driver MUST raise -an error. +or be retrieved via the optional AWS SDK. If credentials are provided in the URI or client options, the driver MUST +raise an error. AWS recommends using an SDK to "take care of some of the heavy lifting necessary in successfully making API calls, including authentication, retry behavior, and more". diff --git a/source/auth/tests/mongodb-aws.md b/source/auth/tests/mongodb-aws.md index 5048e9792a..930c654266 100644 --- a/source/auth/tests/mongodb-aws.md +++ b/source/auth/tests/mongodb-aws.md @@ -95,8 +95,8 @@ mongodb://localhost/?authMechanism=MONGODB-AWS ## AssumeRole Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary -credentials consist of an access key ID, a secret access key, and a security token passed into the URI. Drivers MUST provide -the --nouri option to aws_tester.py in drivers-evergreen-tools for this test. A sample URI would be: +credentials consist of an access key ID, a secret access key, and a security token passed into the URI. Drivers MUST +provide the --nouri option to aws_tester.py in drivers-evergreen-tools for this test. A sample URI would be: ```text mongodb://localhost/?authMechanism=MONGODB-AWS From 7714280b8c6192757abe3f8257a50cf1dd578ad3 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Mon, 6 Oct 2025 15:05:00 -0400 Subject: [PATCH 08/11] chore: comments --- source/auth/tests/legacy/connection-string.json | 4 ++-- source/auth/tests/legacy/connection-string.yml | 4 ++-- source/auth/tests/mongodb-aws.md | 11 +++++------ 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 9f5af9ea69..a32aa80ea4 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -442,12 +442,12 @@ }, { "description": "should throw an exception if username provided (MONGODB-AWS)", - "uri": "mongodb://user:localhost.com/", + "uri": "mongodb://user@localhost.com/", "valid": false }, { "description": "should throw an exception if username and password provided (MONGODB-AWS)", - "uri": "mongodb://user@pass:localhost.com/", + "uri": "mongodb://user:pass@localhost.com/", "valid": false }, { diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index 4b643b0d8a..2cf01bfb79 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -321,10 +321,10 @@ tests: mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ - description: should throw an exception if username provided (MONGODB-AWS) - uri: mongodb://user:localhost.com/ + uri: mongodb://user@localhost.com/ valid: false - description: should throw an exception if username and password provided (MONGODB-AWS) - uri: mongodb://user@pass:localhost.com/ + uri: mongodb://user:pass@localhost.com/ valid: false - description: should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS) uri: mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token diff --git a/source/auth/tests/mongodb-aws.md b/source/auth/tests/mongodb-aws.md index 930c654266..4e4ba49dd7 100644 --- a/source/auth/tests/mongodb-aws.md +++ b/source/auth/tests/mongodb-aws.md @@ -2,7 +2,7 @@ Drivers MUST test the following scenarios: -1. `Regular Credentials`: Auth via an `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` pair +1. `Regular Credentials`: Auth via an `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` pair *Removed* 2. `EC2 Credentials`: Auth from an EC2 instance via temporary credentials assigned to the machine 3. `ECS Credentials`: Auth from an ECS instance via temporary credentials assigned to the task 4. `Assume Role`: Auth via temporary credentials obtained from an STS AssumeRole request @@ -12,8 +12,7 @@ Drivers MUST test the following scenarios: 7. Caching of AWS credentials fetched by the driver. For brevity, this section gives the values ``, `` and `` in place of a valid access -key ID, secret access key and session token (also known as a security token). Note that if these values are passed into -the URI they MUST be URL encoded. Sample values are below. +key ID, secret access key and session token (also known as a security token). Sample values are below. ```text AccessKeyId=AKIAI44QH8DHBEXAMPLE @@ -57,7 +56,7 @@ Configure a custom credential provider to pass valid AWS credentials. The provid Expect authentication to succeed and the custom credential provider was called. -## Regular credentials +## Regular credentials *Removed* Drivers MUST be able to authenticate when a valid access key id and secret access key pair are present in the environment. Drivers MUST provide the --nouri option to aws_tester.py in drivers-evergreen-tools for this test. @@ -95,8 +94,8 @@ mongodb://localhost/?authMechanism=MONGODB-AWS ## AssumeRole Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary -credentials consist of an access key ID, a secret access key, and a security token passed into the URI. Drivers MUST -provide the --nouri option to aws_tester.py in drivers-evergreen-tools for this test. A sample URI would be: +credentials consist of an access key ID, a secret access key, and a security token present in the environment. Drivers +MUST provide the --nouri option to aws_tester.py in drivers-evergreen-tools for this test. A sample URI would be: ```text mongodb://localhost/?authMechanism=MONGODB-AWS From 714e051b5bde020cfc3b1995443fd2000c9bfcff Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Mon, 6 Oct 2025 18:04:15 -0400 Subject: [PATCH 09/11] chore: comments --- source/auth/tests/mongodb-aws.md | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/source/auth/tests/mongodb-aws.md b/source/auth/tests/mongodb-aws.md index 4e4ba49dd7..0bd7cbe275 100644 --- a/source/auth/tests/mongodb-aws.md +++ b/source/auth/tests/mongodb-aws.md @@ -36,14 +36,7 @@ directly from the custom provider instead of using the AWS SDK default provider. ### 2. Custom Credential Provider Authentication Precedence -#### Case 1: Credentials in URI Take Precedence - -Create a `MongoClient` configured with AWS auth and credentials in the URI. Example: -`mongodb://:@localhost:27017/?authMechanism=MONGODB-AWS` - -Configure a custom credential provider to pass valid AWS credentials. The provider must track if it was called. - -Expect authentication to succeed and the custom credential provider was *not* called. +#### Case 1: Credentials in URI Take Precedence *Removed* #### Case 2: Custom Provider Takes Precedence Over Environment Variables @@ -56,7 +49,7 @@ Configure a custom credential provider to pass valid AWS credentials. The provid Expect authentication to succeed and the custom credential provider was called. -## Regular credentials *Removed* +## Regular credentials Drivers MUST be able to authenticate when a valid access key id and secret access key pair are present in the environment. Drivers MUST provide the --nouri option to aws_tester.py in drivers-evergreen-tools for this test. From 1780f54b401cea15f48fc4093f253d43b59d6195 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Mon, 6 Oct 2025 18:10:12 -0400 Subject: [PATCH 10/11] test: fix tests --- source/auth/tests/legacy/connection-string.json | 4 ++-- source/auth/tests/legacy/connection-string.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index a32aa80ea4..8982b61d5a 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -442,12 +442,12 @@ }, { "description": "should throw an exception if username provided (MONGODB-AWS)", - "uri": "mongodb://user@localhost.com/", + "uri": "mongodb://user@localhost.com/?authMechanism=MONGODB-AWS", "valid": false }, { "description": "should throw an exception if username and password provided (MONGODB-AWS)", - "uri": "mongodb://user:pass@localhost.com/", + "uri": "mongodb://user:pass@localhost.com/?authMechanism=MONGODB-AWS", "valid": false }, { diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index 2cf01bfb79..2b98f0f8f2 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -321,10 +321,10 @@ tests: mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ - description: should throw an exception if username provided (MONGODB-AWS) - uri: mongodb://user@localhost.com/ + uri: mongodb://user@localhost.com/?authMechanism=MONGODB-AWS valid: false - description: should throw an exception if username and password provided (MONGODB-AWS) - uri: mongodb://user:pass@localhost.com/ + uri: mongodb://user:pass@localhost.com/?authMechanism=MONGODB-AWS valid: false - description: should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS) uri: mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token From bd28f1fdf852b8b34e9ed2c211bea777765130ac Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Tue, 7 Oct 2025 16:53:38 -0400 Subject: [PATCH 11/11] chore: last removal --- source/auth/tests/mongodb-aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/auth/tests/mongodb-aws.md b/source/auth/tests/mongodb-aws.md index 0bd7cbe275..74faa3ad85 100644 --- a/source/auth/tests/mongodb-aws.md +++ b/source/auth/tests/mongodb-aws.md @@ -2,7 +2,7 @@ Drivers MUST test the following scenarios: -1. `Regular Credentials`: Auth via an `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` pair *Removed* +1. `Regular Credentials`: Auth via an `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` pair 2. `EC2 Credentials`: Auth from an EC2 instance via temporary credentials assigned to the machine 3. `ECS Credentials`: Auth from an ECS instance via temporary credentials assigned to the task 4. `Assume Role`: Auth via temporary credentials obtained from an STS AssumeRole request