How to connect from AWS lambda function to mongo atlas by using an IAM role which is password less?

Can someone please explain the process in detail.

1 Like

Hi @Jalaj_Kumar, thanks for posting to the Community Forums.

Have you checked out this thread which poses a similar question and solution?

1 Like

@Pavel_Duchovny Why do we need to create a user and supply its key and secret access key when there’s an alternative to directly connect with the AWS resource execution role like IAM role of the lambda function? The video https://www.youtube.com/watch?v=99iV9lCctrU clearly explains this process should be password less and no credentials should be sent over to connect.

As I understand it there are 2 types one is user/password like using the access key and secret key.

And another one is by having the driver issuing kind of temp creds from aws api, but I haven’t watched the presentation in full and I am not big expert with IAM auth…

Thanks. Is there someone who can help with this ?

Hi @Jalaj_Kumar,

If you’re connecting to a MongoDB Atlas cluster from your local machine, you will need to supply IAM credentials to the command line.

However, if you’re connecting to an Atlas cluster from AWS Lambda, Lambda will automatically retrieve temporary IAM credentials for you and make them accessible via environment variables (https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime).

The three environment variables that your code will need are AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. The secret access key will never be sent to Atlas or persisted by the driver (see the video for more details).

For example the Atlas UI will publish an AWS IAM connection string that looks like this:

mongodb+srv://<AWS access key>:<AWS secret key>@my-cluster.8xebk.mongodb.net/myFirstDatabase?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:<session token (for AWS IAM Roles)>

If you’re using Node.js on Lambda, you could then fill in the placeholders like this:

const uri = mongodb+srv://${encodeURIComponent(process.env.AWS_ACCESS_KEY_ID)}:${encodeURIComponent(process.env.AWS_SECRET_ACCESS_KEY)}@my-cluster.8xebk.mongodb.net/myFirstDatabase?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:${encodeURIComponent(process.env.AWS_SESSION_TOKEN)}

Note that in order for this to work, you will need to have configured a database user (https://docs.atlas.mongodb.com/security-add-mongodb-users/) for AWS IAM Authentication, selecting “IAM role” from the “AWS IAM Type” drop-down menu.

If you have additional questions or run into any problems, please let us know.

Angela@MongoDB

3 Likes

Hi @Angela_Shulman

Thanks for the explanation. I tried using the below connection string from lambda function and receiving a timeout.

I also have the lambda execution role arn added as a database user in my cluster.

const MONGODB_URI = "mongodb+srv://${encodeURIComponent(process.env.AWS_ACCESS_KEY_ID)}:${encodeURIComponent(process.env.AWS_SECRET_ACCESS_KEY)}@cluster/database?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:${encodeURIComponent(process.env.AWS_SESSION_TOKEN)}";

Hi @Jalaj_Kumar,

Can you ensure that you have allowed IP access (https://docs.atlas.mongodb.com/security/ip-access-list/) and that there are no network connectivity issues?

If you still have problems please create an in-app support chat session or open a support case (https://docs.atlas.mongodb.com/support/) so that we can help you with specifics in the context of your Atlas cluster and project. Please link to this forum topic and feel free to ask for me.

Kind regards,
Angela@MongoDB

1 Like