Use IAM authentication with HAQM DocumentDB (with MongoDB compatibility)

HAQM DocumentDB (with MongoDB compatibility) is a fully managed native JSON document database that makes it straightforward and cost-effective to operate critical document workloads at virtually any scale without managing infrastructure. You can use the same application code written using the MongoDB API (versions 3.6, 4.0, and 5.0) compatible drivers, and tools to run, manage, and scale workloads on HAQM DocumentDB without worrying about managing the underlying infrastructure. As a document database, HAQM DocumentDB makes it straightforward to store, query, and index JSON data.

AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS.

HAQM DocumentDB now supports authentication of database users using IAM – users and applications can authenticate to HAQM DocumentDB clusters using IAM users and roles. HAQM DocumentDB IAM authentication is a password-less authentication method; user passwords are not stored in an HAQM DocumentDB cluster and client applications don’t have to configure and maintain the password secrets when connecting to an HAQM DocumentDB cluster. This feature does not incur any additional charge and is available in HAQM DocumentDB instance-based cluster version 5.0.

In this post, we discuss this new feature and provide you resources on how to enable IAM authentication in your HAQM DocumentDB cluster.

You can benefit from this new feature in one or more of the following use cases:

• Have a consistent authentication mechanism for other services you might be using in the AWS ecosystem
• Centralize authentication using IAM and remove your dependency on user name and password pairs
• Streamline access management for applications and users by reusing existing IAM credentials for authorization
• Simplify your application development with AWS Lambda and HAQM Elastic Compute Cloud (HAQM EC2) applications by being able to use IAM to authenticate to HAQM DocumentDB instead of user name and password pairs
• Align with MongoDB authentication mechanisms, providing ease of migration.

Solution overview

In our example use case, an application is running on HAQM Elastic Container Service (HAQM ECS) and needs to store media files on HAQM Simple Storage Service (HAQM S3) and customer data on HAQM DocumentDB. Before the launch of IAM authentication integration for HAQM DocumentDB, the application code would use two separate authentication mechanisms: IAM for HAQM S3 and a user name and password pair managed by AWS Secrets Manager.

The following diagram shows the architecture highlighting the authentication mechanisms prior to the launch of IAM integration for HAQM DocumentDB.

With the launch of IAM authentication support for DocumentDB, the application code uses IAM as a unified authentication mechanism for both HAQM S3 and HAQM DocumentDB.

The following diagram shows the architecture highlighting the authentication mechanisms after the launch of IAM integration for HAQM DocumentDB.

This solution offers the following features:

• You can still use the user name and password authentication. The admin user that needs to be created at the time of cluster creation can only be created with the user name and password mechanism.
• You can also choose to use both password-based and IAM authentication to authenticate users and applications to an HAQM DocumentDB cluster.
• Authorization is still managed at the database level.

Enable IAM authentication in your cluster

For instructions to enable IAM authentication, refer to Authentication using IAM identity.

For samples, refer to the following GitHub repositories:

• Password-less authentication to HAQM DocumentDB using IAM Roles
• How human users can authenticate to HAQM DocumentDB using IAM Users and IAM Roles

After you create the user and associate it with HAQM DocumentDB, you can assign roles and enforce least privilege with role-based access control.

Application changes required

Drivers that support the HAQM DocumentDB 5.0 and MONGODB-AWS authentication mechanism should work with the IAM authentication implementation in HAQM DocumentDB—except for NodeJS driver. For more details, refer to Supported IAM drivers.

The only changes required are in the HAQM DocumentDB connection URL. The two important parameters to add are the following:

• authSource=$external
• authMechanism=MONGODB-AWS.

Conclusion

The new IAM authentication feature enables you to manage HAQM DocumentDB user authentication using a consistent mechanism just like you would with other AWS services, thereby simplifying AWS user management and aligning to your organization policies for security.

Try the new feature out, and let us know your feedback and questions in the comments section.

About the Authors

Sourav Biswas is a Senior HAQM DocumentDB Specialist Solutions Architect at AWS. He has been helping HAQM DocumentDB customers successfully adopt the service and implement best practices around it. Before joining AWS, he worked extensively as an application developer and solutions architect for various NoSQL vendors.

Vin Yu is a Principal Product Manager on the HAQM DocumentDB team at AWS. He is passionate about building products and working with developers to solve complex problems.