From 8dffc23f4129d44072a9b96548a1e8e5465e1255 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 13 Oct 2022 16:03:39 -0500 Subject: [PATCH] PYTHON-3474 Document changes to AWS Credential Handling --- doc/changelog.rst | 4 ++++ doc/examples/authentication.rst | 19 +++++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/doc/changelog.rst b/doc/changelog.rst index c11ac95888..279c535180 100644 --- a/doc/changelog.rst +++ b/doc/changelog.rst @@ -29,6 +29,10 @@ PyMongo 4.3 brings a number of improvements including: - PyMongo now internally caches AWS credentials that it fetches from AWS endpoints, to avoid rate limitations. The cache is cleared when the credentials expire or an error is encountered. +- When using the ``MONGODB-AWS`` authentication mechanism with the + ``aws`` extra, the behavior of credential fetching has changed with + ``pymongo_auth_aws>=1.1.0``. Please see :doc:`examples/authentication` for + more information. Bug fixes ......... diff --git a/doc/examples/authentication.rst b/doc/examples/authentication.rst index db2dbd3d1f..9512b23e4b 100644 --- a/doc/examples/authentication.rst +++ b/doc/examples/authentication.rst @@ -264,16 +264,23 @@ security (or session) token. Credentials can be configured through the MongoDB URI, environment variables, or the local EC2 or ECS endpoint. The order in which the client searches for -credentials is: - -#. Credentials passed through the URI -#. Environment variables -#. ECS endpoint if and only if ``AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`` is set. -#. EC2 endpoint +`credentials`_ is the same as the one used by the AWS ``boto3`` library +when using ``pymongo_auth_aws>=1.1.0``. + +Because we are now using ``boto3`` to handle credentials, the order and +locations of credentials are slightly different from previous versions. +Particularly, if you have a shared AWS credentials or config file, +then those credentials will be used by default if AWS auth environment +variables are not set. To override this behavior, set ``AWS_PROFILE=""`` in +your shell or add ``os.environ["AWS_PROFILE"] = ""`` to your script or +application. Alternatively, you can create an AWS profile specifically for +your MongoDB credentials and set ``AWS_PROFILE`` to that profile name. MONGODB-AWS authenticates against the "$external" virtual database, so none of the URIs in this section need to include the ``authSource`` URI option. +.. _credentials: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html + AWS IAM credentials ~~~~~~~~~~~~~~~~~~~