@@ -219,3 +219,98 @@ func ExampleConnect_kerberos() {
219219 }
220220 _ = client
221221}
222+
223+ func ExampleConnect_aWS () {
224+ // Configure a Client with authentication using the MONGODB-AWS authentication mechanism. Credentials for this
225+ // mechanism can come from one of four sources:
226+ //
227+ // 1. AWS IAM credentials (an access key ID and a secret access key)
228+ //
229+ // 2. Temporary AWS IAM (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) credentials
230+ // obtained from an AWS Security Token Service (STS) Assume Role request
231+ // (https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
232+ //
233+ // 3. AWS Lambda environment variables
234+ // (https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime)
235+ //
236+ // 4. Temporary AWS IAM credentials assigned to an EC2 instance
237+ // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) or ECS task
238+
239+ // The order in which the driver searches for credentials is:
240+ //
241+ // 1. Credentials passed through the URI
242+ // 2. Environment variables
243+ // 3. ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set
244+ // 4. EC2 endpoint
245+ //
246+ // The following examples set the appropriate credentials via the ClientOptions.SetAuth method. All of these
247+ // credentials can be specified via the ClientOptions.ApplyURI method as well. If using ApplyURI, both the
248+ // username and password must be URL encoded (see net.URL.QueryEscape()).
249+
250+ // AWS IAM Credentials
251+
252+ // Applications can authenticate using AWS IAM credentials by providing a valid access key ID and secret access key
253+ // pair as the username and password, respectively.
254+ var accessKeyID , secretAccessKey string
255+ awsCredential := options.Credential {
256+ AuthMechanism : "MONGODB-AWS" ,
257+ Username : accessKeyID ,
258+ Password : secretAccessKey ,
259+ }
260+ awsIAMClient , err := mongo .Connect (context .TODO (), options .Client ().SetAuth (awsCredential ))
261+ if err != nil {
262+ panic (err )
263+ }
264+ _ = awsIAMClient
265+
266+ // AssumeRole
267+
268+ // Applications can authenticate using temporary credentials returned from an assume role request. These temporary
269+ // credentials consist of an access key ID, a secret access key, and a security token.
270+ var sessionToken string
271+ assumeRoleCredential := options.Credential {
272+ AuthMechanism : "MONGODB-AWS" ,
273+ Username : accessKeyID ,
274+ Password : secretAccessKey ,
275+ AuthMechanismProperties : map [string ]string {
276+ "AWS_SESSION_TOKEN" : sessionToken ,
277+ },
278+ }
279+ assumeRoleClient , err := mongo .Connect (context .TODO (), options .Client ().SetAuth (assumeRoleCredential ))
280+ if err != nil {
281+ panic (err )
282+ }
283+ _ = assumeRoleClient
284+
285+ // AWS Lambda (Environment Variables)
286+
287+ // When the username and password are not provided and the MONGODB-AWS mechanism is set, the client will fallback to
288+ // using the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN for the access
289+ // key ID, secret access key, and session token, respectively. These environment variables must not be URL encoded.
290+
291+ // $ export AWS_ACCESS_KEY_ID=<accessKeyID>
292+ // $ export AWS_SECRET_ACCESS_KEY=<secretAccessKey>
293+ // $ export AWS_SESSION_TOKEN=<sessionToken>
294+ envVariablesCredential := options.Credential {
295+ AuthMechanism : "MONGODB-AWS" ,
296+ }
297+ envVariablesClient , err := mongo .Connect (context .TODO (), options .Client ().SetAuth (envVariablesCredential ))
298+ if err != nil {
299+ panic (err )
300+ }
301+ _ = envVariablesClient
302+
303+ // ECS Container or EC2 Instance
304+
305+ // Applications can authenticate from an ECS container or EC2 instance via temporary credentials assigned to the
306+ // machine. If using an ECS container, the "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable must be
307+ // set to a non-empty value. The driver will query the ECS or EC2 endpoint to obtain the relevant credentials.
308+ ecCredential := options.Credential {
309+ AuthMechanism : "MONGODB-AWS" ,
310+ }
311+ ecClient , err := mongo .Connect (context .TODO (), options .Client ().SetAuth (ecCredential ))
312+ if err != nil {
313+ panic (err )
314+ }
315+ _ = ecClient
316+ }
0 commit comments