Get auth credentials through env variables using AWS SDK

JamieTsai1024 · JamieTsai1024 · commit 3d78f80e9621 · 2025-07-23T13:58:50.000-04:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -46,7 +46,7 @@ aws-auth = ["dep:reqwest"]
 
 # Enable support AWS SDK for authentication.
 # This can only be used with the tokio-runtime and aws-auth feature flags.
-aws-sdk-auth = ["dep:reqwest"]
+aws-sdk-auth = ["dep:reqwest", "aws-config"]
 
 # Enable support for on-demand Azure KMS credentials.
 # This can only be used with the tokio-runtime feature flag.
@@ -124,10 +124,20 @@ webpki-roots = "0.26"
 zstd = { version = "0.11.2", optional = true }
 macro_magic = "0.5.1"
 rustversion = "1.0.20"
-aws-config = { version = "1.1.7", features = ["behavior-version-latest"] }
 aws-credential-types = "1.2.4"
 aws-types = "1.3.7"
 
+[dependencies.aws-config]
+version = "1.8.2"
+optional = true
+default-features = false
+features = [
+    "behavior-version-latest",
+    "sso",
+    "default-https-client",
+    "rt-tokio"
+]
+
 [dependencies.bson2]
 git = "https://github.com/mongodb/bson-rust"
 branch = "2.15.x"
diff --git a/src/client/auth/aws.rs b/src/client/auth/aws.rs
@@ -1,9 +1,9 @@
 use std::{fs::File, io::Read, time::Duration};
 
 // Note: Uncomment the following lines for AWS SDK for authentication
-// use aws_config::BehaviorVersion;
-// use aws_credential_types::provider::ProvideCredentials;
-// use aws_types::sdk_config::SharedCredentialsProvider;
+use aws_config::BehaviorVersion;
+use aws_credential_types::provider::ProvideCredentials;
+use aws_types::sdk_config::SharedCredentialsProvider;
 use chrono::{offset::Utc, DateTime};
 use hmac::Hmac;
 use once_cell::sync::Lazy;
@@ -111,29 +111,21 @@ async fn authenticate_stream_inner(
         )
     } else {
         // If credentials are not provided in the URI, use the AWS SDK to load
-        // Note: Untested but compiles
-        // let creds = aws_config::load_defaults(BehaviorVersion::latest())
-        //     .await
-        //     .credentials_provider()
-        //     .expect("no credential provider configured")
-        //     .provide_credentials()
-        //     .await
-        //     .map_err(|e| {
-        //         Error::authentication_error(MECH_NAME, &format!("failed to get creds: {e}"))
-        //     })?;
-        // AwsCredential::from_sdk_creds(
-        //     creds.access_key_id().to_string(),
-        //     creds.secret_access_key().to_string(),
-        //     creds.session_token().map(|s| s.to_string()),
-        //     None,
-        // )
-
-        // For now, throw an error
-        return Err(Error::authentication_error(
-            MECH_NAME,
-            "Credentials must be provided in the MongoDB URI - methods supported by the AWS SDK \
-             are not yet tested",
-        ));
+        let creds = aws_config::load_defaults(BehaviorVersion::latest())
+            .await
+            .credentials_provider()
+            .expect("no credential provider configured")
+            .provide_credentials()
+            .await
+            .map_err(|e| {
+                Error::authentication_error(MECH_NAME, &format!("failed to get creds: {e}"))
+            })?;
+        AwsCredential::from_sdk_creds(
+            creds.access_key_id().to_string(),
+            creds.secret_access_key().to_string(),
+            creds.session_token().map(|s| s.to_string()),
+            None,
+        )
     };
     #[cfg(not(feature = "aws-sdk-auth"))]
     let aws_credential = {
