{"id":3231,"library":"pymongo-auth-aws","title":"MONGODB-AWS authentication support for PyMongo","description":"This library provides MONGODB-AWS authentication support for PyMongo, enabling applications to connect to MongoDB using AWS IAM credentials, temporary AWS IAM credentials, or credentials assigned to EC2 instances or ECS tasks. It is currently at version 1.3.0 and aims to align its Python version support with PyMongo's releases.","status":"active","version":"1.3.0","language":"en","source_language":"en","source_url":"https://github.com/mongodb/pymongo-auth-aws","tags":["mongodb","aws","authentication","pymongo","iam"],"install":[{"cmd":"pip install pymongo-auth-aws","lang":"bash","label":"Install directly"},{"cmd":"pip install 'pymongo[aws]'","lang":"bash","label":"Install via PyMongo's 'aws' extra"}],"dependencies":[{"reason":"This library provides an authentication mechanism for PyMongo; it is a required peer dependency.","package":"pymongo"},{"reason":"Used internally by pymongo-auth-aws for managing and resolving AWS credentials.","package":"boto3"}],"imports":[{"note":"pymongo-auth-aws integrates as a PyMongo extension; its functionality is accessed via PyMongo's MongoClient, not direct imports from pymongo_auth_aws.","symbol":"MongoClient","correct":"from pymongo import MongoClient"}],"quickstart":{"code":"import os\nfrom pymongo import MongoClient\nfrom pymongo.server_api import ServerApi\n\n# Set these environment variables for authentication:\n# os.environ['AWS_ACCESS_KEY_ID'] = 'YOUR_AWS_ACCESS_KEY_ID'\n# os.environ['AWS_SECRET_ACCESS_KEY'] = 'YOUR_AWS_SECRET_ACCESS_KEY'\n# os.environ['AWS_SESSION_TOKEN'] = 'YOUR_AWS_SESSION_TOKEN' # Optional, for temporary credentials\n\n# Replace <YOUR_CLUSTER_URI> with your MongoDB Atlas connection string\n# Ensure authMechanism=MONGODB-AWS and authSource=$external are set in the URI\n# For example: mongodb+srv://<cluster_name>.mongodb.net/?authMechanism=MONGODB-AWS&authSource=%24external&retryWrites=true&w=majority\n\nATLAS_URI = os.environ.get(\"MONGODB_AWS_URI\", \"mongodb+srv://user:pass@host/db?authMechanism=MONGODB-AWS&authSource=%24external\")\n\nclient = None\ntry:\n    # MongoClient will automatically pick up AWS credentials from environment variables\n    # or other boto3-supported sources if not provided in the URI.\n    client = MongoClient(ATLAS_URI, server_api=ServerApi('1'))\n    client.admin.command('ping')\n    print(\"Pinged your deployment. You successfully connected to MongoDB using MONGODB-AWS!\")\nexcept Exception as e:\n    print(f\"Connection failed: {e}\")\nfinally:\n    if client:\n        client.close()","lang":"python","description":"This example demonstrates connecting to MongoDB Atlas using the `MONGODB-AWS` authentication mechanism. It assumes `pymongo-auth-aws` is installed and AWS credentials (access key ID, secret access key, and optionally a session token) are configured in the environment variables (e.g., `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`). The `authMechanism=MONGODB-AWS` and `authSource=$external` parameters are crucial in the connection URI."},"warnings":[{"fix":"Upgrade to Python 3.8+ or pin `pymongo-auth-aws<1.2.0`.","message":"Version 1.2.0 dropped support for several older Python versions, specifically Python 2.7, 3.4, 3.5, 3.6, and 3.7. Users on these versions must remain on `pymongo-auth-aws<1.2.0` or upgrade their Python environment.","severity":"breaking","affected_versions":">=1.2.0"},{"fix":"Review the `boto3` credential chain documentation. To explicitly control, set environment variables like `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, or set `AWS_SHARED_CREDENTIALS_FILE=\"\"` to prevent loading from shared files.","message":"With `pymongo-auth-aws>=1.1.0`, the order of credential lookup for AWS authentication now aligns with `boto3`'s default behavior. This means shared AWS credentials or config files might be prioritized over environment variables if not explicitly overridden, which could alter credential resolution compared to earlier versions.","severity":"gotcha","affected_versions":">=1.1.0"},{"fix":"Upgrade your MongoDB server to 4.4+ and your PyMongo library to 3.11+ (or use `pymongo[aws]` to ensure compatibility).","message":"The MONGODB-AWS authentication mechanism requires MongoDB server version 4.4+ and PyMongo driver version 3.11+. Ensure your MongoDB deployment and PyMongo version meet these requirements.","severity":"gotcha","affected_versions":"<4.4 (MongoDB), <3.11 (PyMongo)"},{"fix":"Add `authSource=$external` to your connection URI (e.g., `mongodb+srv://...&authSource=%24external`) or pass `authSource='$external'` to the `MongoClient` constructor.","message":"When using MONGODB-AWS authentication, you must specify `authSource=$external` in your MongoDB connection URI or as a `MongoClient` option. Failing to do so will result in authentication errors.","severity":"gotcha","affected_versions":"*"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}