Skip to content

Commit f3fc409

Browse files
blink1073blink1073
authored
PYTHON-3474 Document changes to AWS Credential Handling (#1077)
1 parent df77653 commit f3fc409

File tree

2 files changed

+17
-6
lines changed

2 files changed

+17
-6
lines changed

doc/changelog.rst

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,10 @@ PyMongo 4.3 brings a number of improvements including:
2929
- PyMongo now internally caches AWS credentials that it fetches from AWS
3030
endpoints, to avoid rate limitations. The cache is cleared when the
3131
credentials expire or an error is encountered.
32+
- When using the ``MONGODB-AWS`` authentication mechanism with the
33+
``aws`` extra, the behavior of credential fetching has changed with
34+
``pymongo_auth_aws>=1.1.0``. Please see :doc:`examples/authentication` for
35+
more information.
3236

3337
Bug fixes
3438
.........

doc/examples/authentication.rst

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -264,16 +264,23 @@ security (or session) token.
264264

265265
Credentials can be configured through the MongoDB URI, environment variables,
266266
or the local EC2 or ECS endpoint. The order in which the client searches for
267-
credentials is:
268-
269-
#. Credentials passed through the URI
270-
#. Environment variables
271-
#. ECS endpoint if and only if ``AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`` is set.
272-
#. EC2 endpoint
267+
`credentials`_ is the same as the one used by the AWS ``boto3`` library
268+
when using ``pymongo_auth_aws>=1.1.0``.
269+
270+
Because we are now using ``boto3`` to handle credentials, the order and
271+
locations of credentials are slightly different from previous versions.
272+
Particularly, if you have a shared AWS credentials or config file,
273+
then those credentials will be used by default if AWS auth environment
274+
variables are not set. To override this behavior, set ``AWS_PROFILE=""`` in
275+
your shell or add ``os.environ["AWS_PROFILE"] = ""`` to your script or
276+
application. Alternatively, you can create an AWS profile specifically for
277+
your MongoDB credentials and set ``AWS_PROFILE`` to that profile name.
273278

274279
MONGODB-AWS authenticates against the "$external" virtual database, so none of
275280
the URIs in this section need to include the ``authSource`` URI option.
276281

282+
.. _credentials: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html
283+
277284
AWS IAM credentials
278285
~~~~~~~~~~~~~~~~~~~
279286

0 commit comments

Comments
 (0)