MongoAtlas AWS IAM Role Authentication

Question

I am setting up a deployment for my company's API Server and it fails to connect to MongoAtlas via IAM role

What I've done:

1. Set up a IAM Role on AWS (APIServer)
2. Set up a Database User on Atlas with the role (arn:aws:iam::< my aws acc id >:role/APIServer)
3. Configure a launch template and an auto scaling group, launching Amazon Linux EC2 instances with the role
4. Have my NodeJS application connect to my Atlas with the following setting:

key	value
URL	mongodb+srv://dev.< cluster >.mongodb.net/< DB >
authSource	'$external'
authMechanism	'MONGODB-AWS'

I ended up receiving the following error message

MongoServerError: bad auth : user arn:aws:sts::<my aws acc id>:assumed-role/APIServer/* is not found

Note: the info enclosed in <> are intentionally replaced, since I have already found several solutions pointing out having <> as part of the password, which is not my case here

Answer 1

I have the same problem, the only solution I found until now is to create a aws iam user (not a role, so you can generate security credentials), set up that user on atlas and put the security credentials of the user in a .env file in your node application. In this way mongodb will retrieve automatically that user and it works because you are not assuming a role, so the arn is correct. This is still not a good solution to me, because I do not want to manage those keys. Best thing you can do probably is storing those credentials in aws secrets manager, give the ec2 role the permission to retrieve that secret, and when you start the instance with a script you can automatically retrieve the secrete and create the .env file. (Still a disappointing solution to me)

---

Edit: As I self answered in this post: AWS EC2 connection to MongoDB Atlas failing, could not find user

The solution for me was to change the scope of the Atlas user.