Skip to content
logo
Percona Server for MongoDB 5.0
AWS IAM authentication
Initializing search
    percona/psmdb-docs
    percona/psmdb-docs
    • Home
    • Percona Server for MongoDB feature comparison
      • Overview
      • Installing Percona Server for MongoDB on Debian and Ubuntu
      • Installing Percona Server for MongoDB on Red Hat Enterprise Linux and CentOS
      • Installing Percona Server for MongoDB from binary tarball
      • Running Percona Server for MongoDB in a Docker Container
        • Percona Memory Engine
        • Hot Backup
        • $backupCursor and $backupCursorExtend aggregation stages
        • Authentication overview
        • Enable SCRAM authentication
        • Set up LDAP authentication with SASL
        • Set up x.509 authentication and LDAP authorization
        • Set up Kerberos authentication
        • AWS IAM authentication
          • User authentication
          • Role authentication
          • Configuration
        • Setting up AWS IAM authentication
        • LDAP authorization
        • Set up LDAP authentication and authorization using NativeLDAP
        • Data at rest encryption
        • HashiCorp Vault integration
        • Using the Key Management Interoperability Protocol (KMIP)
        • Local key management using a keyfile
        • Migrating from key file encryption to HashiCorp Vault encryption
      • Auditing
      • Profiling Rate Limit
      • Log Redaction
      • Additional text search algorithm - ngram
      • Tune parameters
        • Upgrade from 4.4 to 5.0
        • Upgrading Percona Server for MongoDB
      • Uninstall Percona Server for MongoDB
      • Releade notes index
      • Percona Server for MongoDB 5.0.17-14 (2023-05-04)
      • Percona Server for MongoDB 5.0.15-13 (2023-03-16)
      • Percona Server for MongoDB 5.0.14-12 (2022-12-08)
      • Percona Server for MongoDB 5.0.13-11 (2022-10-12)
      • Percona Server for MongoDB 5.0.11-10 (2022-09-01)
      • Percona Server for MongoDB 5.0.10-9 (2022-08-09)
      • Percona Server for MongoDB 5.0.9-8 (2022-06-20)
      • Percona Server for MongoDB 5.0.8-7 (2022-05-10)
      • Percona Server for MongoDB 5.0.7-6 (2022-04-20)
      • Percona Server for MongoDB 5.0.6-5 (2022-02-10)
      • Percona Server for MongoDB 5.0.5-4 (2021-12-28)
      • Percona Server for MongoDB 5.0.4-3 (Release Candidate) (2021-12-08)
      • Percona Server for MongoDB 5.0.3-2 (Release Candidate) (2021-10-14)
      • Percona Server for MongoDB 5.0.2-1 (Release Candidate) (2021-08-16)
    • Glossary
    • Copyright and licensing information
    • Trademark policy

    • User authentication
    • Role authentication
    • Configuration

    AWS IAM authentication¶

    Version added: 5.0.15-13

    Important

    This is a technical preview feature

    IAM (Identity Access Management) is the AWS service that allows you to securely control access to AWS resources. Percona Server for MongoDB supports authentication with AWS IAM enabling you to use the same AWS credentials both for it and other components of your infrastructure. This saves your DBAs from managing different sets of secrets and frees their time on other activities.

    You can configure AWS IAM for a password-less authentication. Instead of username and password, the user or the application presents the AWS security credentials for authentication, but the secret key is not sent to Percona Server for MongoDB. This significantly increases the security in your infrastructure.

    Percona Server for MongoDB supports two authentication types:

    User authentication¶

    This authentication type is typically used by human operators. Every user account in AWS has the ARN (Amazon Resource Name), which uniquely identifies this account and the user associated with it. During authentication, the ARN is used to verify the user’s identity.

    Role authentication¶

    This type is typically used for applications / mongo clients. For instance, if your application is running on AWS resources like EC2 instance or ECS (Elastic Container Service) which uses the IAM role assigned to it. Another scenario is to allow users to assume the IAM role and in such a way, grant a user the permissions outlined in the IAM role. The ARN of the IAM role is used to authenticate the application in Percona Server for MongoDB.

    For either type of AWS IAM authentication, the flow is the following:

    image

    1. A mongo client (a Mongo shell or an application that talks to Percona Server for MongoDB via a driver) gets AWS credentials from either EC2/ECS instance metadata service, environmental variables or MongoDB URI connection string.
    2. The mongo client constructs the authentication request which includes the AWS access key ID, token and the signature and sends it to Percona Server for MongoDB

      Important

      The mongo client never sends the secret access key to Percona Server for MongoDB.

    3. Percona Server for MongoDB sends the received credentials to the AWS STS (Security Token Service) for verification

    4. The AWS STS service validates whether the signature is correct and answers with the user / role ARN that created the signature
    5. Percona Server for MongoDB looks for the same username as the received ARN in the $external database and grants privileges to access Percona Server for MongoDB as defined for the respective user.

    See also

    • AWS documentation:

      • AWS Identity and Access Management
      • Temporary security credentials in IAM
      • Authenticating Requests (AWS Signature Version 4)
    • MongoDB documentation: Set Up Passwordless Authentication with AWS IAM

    Configuration¶

    For how to configure AWS IAM authentication, see Setting up AWS IAM authentication.

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: March 16, 2023
    Created: March 16, 2023
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better.