Usage with MongoDB Compass
alxgrk opened this issue · comments
Hi there,
first, thanks for this tool - it's awesome.
I was wondering how I would use aws-vault with MongoDB Compass. MongoDB allow for "external authentication" via AWS IAM & Compass as a UI client generally allows that too. However, one has to specify either the Access Key ID and/or Secret Access Key/Session Token. See the following screenshot:
What would you recommend as a setup in this case?
Best regards,
Alex
none, and use aws-vault --server
Ok, thanks for your answer. Unfortunately, it turned out that MongoDB Compass is dumb in that regard - it doesn't check for the environment but simply takes the ACCESS_KEY, etc. as strings via configuration.
For me & especially since I wanted to use a specific role for authentication, the solution was to run aws-vault exec my-profile -- aws sts assume-role --role-arn=my-role-arn --role-session-name=my-role-session
& to open MongoDB Compass with the credentials baked in. This would look like the following, pasting it here in case anyone needs it:
openMongoDbCompassWithRole() {
local output=$(aws-vault exec my-profile -- aws sts assume-role --role-arn=my-role-arn --role-session-name=my-role-session)
AWS_SESSION_TOKEN=$(echo $output | jq -r '.Credentials.SessionToken')
ENCODED_TOKEN=$(node -p "encodeURIComponent(\"${AWS_SESSION_TOKEN}\")")
/Applications/MongoDB\ Compass.app/Contents/MacOS/MongoDB\ Compass \
--username=$(echo $output | jq -r '.Credentials.AccessKeyId') \
--password=$(echo $output | jq -r '.Credentials.SecretAccessKey') \
"mongodb+srv://my.mongodb.com/mydb?authMechanism=MONGODB-AWS&authSource=%24external&authMechanismProperties=AWS_SESSION_TOKEN%3A${ENCODED_TOKEN}" &
}
Does it work only with temporary credentials?