feat(NODE-7046)!: remove AWS uri/options support #4689
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
durran
changed the title
4 tasks
dariakp
added
the
Primary Review
dariakp
requested changes
Oct 1, 2025
durran
changed the title
dariakp
requested changes
Oct 8, 2025
|
|
||
| // Get the URI for the cluster then set AWS_ACCESS_KEY_ID as the username in the | ||
| // URI and AWS_SECRET_ACCESS_KEY as the password, then set the appropriate auth | ||
| // options. Note that MongoClient now auto-connects so no need to store the connect() |
There was a problem hiding this comment.
I think we need to update the text in the comments to talk about doing this via env vars instead
| const { username, password } = mongoOptions.credentials; | ||
| if (username || password) { | ||
| throw new MongoAPIError( | ||
| 'username and password cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK' |
There was a problem hiding this comment.
Suggested change
| 'username and password cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK' | |
| 'username and password cannot be provided directly when using MONGODB-AWS. Credentials must be read via the AWS SDK' |
| } | ||
| if (mongoOptions.credentials.mechanismProperties.AWS_SESSION_TOKEN) { | ||
| throw new MongoAPIError( | ||
| 'AWS_SESSION_TOKEN cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK' |
There was a problem hiding this comment.
Suggested change
| 'AWS_SESSION_TOKEN cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK' | |
| 'AWS_SESSION_TOKEN cannot be provided directly when using MONGODB-AWS. Credentials must be read via the AWS SDK' |
| . ./activate-authawsvenv.sh | ||
| # Source the environment variables. Configure the environment and the server. | ||
| . aws_setup.sh $AWS_CREDENTIAL_TYPE | ||
| . aws_setup.sh --nouri $AWS_CREDENTIAL_TYPE |
dariakp
requested changes
Oct 8, 2025
| import { loadSpecTests } from '../../spec'; | ||
| import { executeUriValidationTest } from '../../tools/uri_spec_runner'; | ||
|
|
||
| const SKIP = [ |
There was a problem hiding this comment.
I don't have a good file to comment on, but I was looking for changes to the prose tests, and noticed that our prose tests don't follow the convention, but the relevant tests for this are in mongodb_aws.test.ts, where I think we can delete the Case 1 block. Can we move the prose tests from that file to mongodb_aws.prose.test?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Removes the ability to provide credentials when using MONGODB-AWS authentication.
Summary of Changes
Notes for Reviewers
I made AWS_SESSION_TOKEN internal instead of removing it completely as we still use that object and property internally when fetching credentials.
What is the motivation for this change?
NODE-7046/DRIVERS-3131
Release Highlight
Explicitly Provided Credentials No Longer Accepted With MONGODB-AWS Authentication
AWS environments (such as AWS Lambda) do not have credentials that are permanent and expire within a set amount of time. Providing credentials in the URI or options would mandate that those credentials would be valid for the life of the
MongoClient, which is problematic. With this change, the installed required AWS SDK will now fetch credentials using the environment, endpoints, or a custom credential provider.This means that for AWS authentication, all client URIs MUST now be specified as:
Double check the following
npm run check:lint)type(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript