Hi there,

first, thanks for this tool - it's awesome.

I was wondering how I would use aws-vault with MongoDB Compass. MongoDB allow for "external authentication" via AWS IAM & Compass as a UI client generally allows that too. However, one has to specify either the Access Key ID and/or Secret Access Key/Session Token. See the following screenshot:

What would you recommend as a setup in this case?

Best regards,
Alex

none, and use aws-vault --server

Ok, thanks for your answer. Unfortunately, it turned out that MongoDB Compass is dumb in that regard - it doesn't check for the environment but simply takes the ACCESS_KEY, etc. as strings via configuration.

For me & especially since I wanted to use a specific role for authentication, the solution was to run aws-vault exec my-profile -- aws sts assume-role --role-arn=my-role-arn --role-session-name=my-role-session & to open MongoDB Compass with the credentials baked in. This would look like the following, pasting it here in case anyone needs it:

openMongoDbCompassWithRole() {
  local output=$(aws-vault exec my-profile -- aws sts assume-role --role-arn=my-role-arn --role-session-name=my-role-session)
  AWS_SESSION_TOKEN=$(echo $output | jq -r '.Credentials.SessionToken')
  ENCODED_TOKEN=$(node -p "encodeURIComponent(\"${AWS_SESSION_TOKEN}\")")
  /Applications/MongoDB\ Compass.app/Contents/MacOS/MongoDB\ Compass \
    --username=$(echo $output | jq -r '.Credentials.AccessKeyId') \
    --password=$(echo $output | jq -r '.Credentials.SecretAccessKey') \
    "mongodb+srv://my.mongodb.com/mydb?authMechanism=MONGODB-AWS&authSource=%24external&authMechanismProperties=AWS_SESSION_TOKEN%3A${ENCODED_TOKEN}" &
}

Does it work only with temporary credentials?