MONGODB-AWS authentication support for PyMongo

Warnings

• breaking Version 1.2.0 dropped support for several older Python versions, specifically Python 2.7, 3.4, 3.5, 3.6, and 3.7. Users on these versions must remain on `pymongo-auth-aws<1.2.0` or upgrade their Python environment.
  Fix: Upgrade to Python 3.8+ or pin `pymongo-auth-aws<1.2.0`.
• gotcha With `pymongo-auth-aws>=1.1.0`, the order of credential lookup for AWS authentication now aligns with `boto3`'s default behavior. This means shared AWS credentials or config files might be prioritized over environment variables if not explicitly overridden, which could alter credential resolution compared to earlier versions.
  Fix: Review the `boto3` credential chain documentation. To explicitly control, set environment variables like `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, or set `AWS_SHARED_CREDENTIALS_FILE=""` to prevent loading from shared files.
• gotcha The MONGODB-AWS authentication mechanism requires MongoDB server version 4.4+ and PyMongo driver version 3.11+. Ensure your MongoDB deployment and PyMongo version meet these requirements.
  Fix: Upgrade your MongoDB server to 4.4+ and your PyMongo library to 3.11+ (or use `pymongo[aws]` to ensure compatibility).
• gotcha When using MONGODB-AWS authentication, you must specify `authSource=$external` in your MongoDB connection URI or as a `MongoClient` option. Failing to do so will result in authentication errors.
  Fix: Add `authSource=$external` to your connection URI (e.g., `mongodb+srv://...&authSource=%24external`) or pass `authSource='$external'` to the `MongoClient` constructor.

Install

• pip install pymongo-auth-aws Install directly
• pip install 'pymongo[aws]' Install via PyMongo's 'aws' extra

Imports

• MongoClient

  from pymongo import MongoClient

  pymongo-auth-aws integrates as a PyMongo extension; its functionality is accessed via PyMongo's MongoClient, not direct imports from pymongo_auth_aws.

Quickstart

This example demonstrates connecting to MongoDB Atlas using the `MONGODB-AWS` authentication mechanism. It assumes `pymongo-auth-aws` is installed and AWS credentials (access key ID, secret access key, and optionally a session token) are configured in the environment variables (e.g., `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`). The `authMechanism=MONGODB-AWS` and `authSource=$external` parameters are crucial in the connection URI.

import os
from pymongo import MongoClient
from pymongo.server_api import ServerApi

# Set these environment variables for authentication:
# os.environ['AWS_ACCESS_KEY_ID'] = 'YOUR_AWS_ACCESS_KEY_ID'
# os.environ['AWS_SECRET_ACCESS_KEY'] = 'YOUR_AWS_SECRET_ACCESS_KEY'
# os.environ['AWS_SESSION_TOKEN'] = 'YOUR_AWS_SESSION_TOKEN' # Optional, for temporary credentials

# Replace <YOUR_CLUSTER_URI> with your MongoDB Atlas connection string
# Ensure authMechanism=MONGODB-AWS and authSource=$external are set in the URI
# For example: mongodb+srv://<cluster_name>.mongodb.net/?authMechanism=MONGODB-AWS&authSource=%24external&retryWrites=true&w=majority

ATLAS_URI = os.environ.get("MONGODB_AWS_URI", "mongodb+srv://user:pass@host/db?authMechanism=MONGODB-AWS&authSource=%24external")

client = None
try:
    # MongoClient will automatically pick up AWS credentials from environment variables
    # or other boto3-supported sources if not provided in the URI.
    client = MongoClient(ATLAS_URI, server_api=ServerApi('1'))
    client.admin.command('ping')
    print("Pinged your deployment. You successfully connected to MongoDB using MONGODB-AWS!")
except Exception as e:
    print(f"Connection failed: {e}")
finally:
    if client:
        client.close()