feat(DRIVERS-2983): use custom aws configuration

durran · durran · commit 51081d5d0f07 · 2025-01-29T15:07:58.000+01:00
diff --git a/source/auth/auth.md b/source/auth/auth.md
@@ -987,6 +987,22 @@ those credentials will be used by default if AWS auth environment variables are
 application. Alternatively, you can create an AWS profile specifically for your MongoDB credentials and set the
 `AWS_PROFILE` environment variable to that profile name."
 
+##### Custom Credential Providers
+
+Drivers that choose you use the AWS SDK to fetch credentials MAY also allow users to provide a custom credential provider
+as an option to the `MongoClient`. The interface for the option provided depends on the individual language SDK and
+drivers MUST consult AWS SDK documentation to determine that format when implementing. The name of the option MUST be
+`AWS_CREDENTIAL_PROVIDER` and be part of the authentication mechanism properties options that can be provided to the
+client.
+
+Drivers that implement this MAY choose to implement the following scenarios when applicable in their labguage's SDK:
+
+1. The default SDK credential provider.
+2. A custom credential provider chain.
+3. A single credential provider of any available SDK options provided by the SDK.
+
+##### Credential Fetching Order
+
 The order in which Drivers MUST search for credentials is:
 
 1. The URI
@@ -1306,6 +1322,10 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
         check MUST be performed after SRV record resolution, if applicable. This property is only required for drivers
         that support the [Human Authentication Flow](#human-authentication-flow).
 
+    - AWS_CREDENTIAL_PROVIDER
+
+        A function or object from the AWS SDK that can be used to return AWS credentials.
+
 <span id="built-in-provider-integrations"/>
 
 #### Built-in OIDC Environment Integrations
@@ -2134,6 +2154,8 @@ practice to avoid this. (See
 
 ## Changelog
 
+- 2025-01-29: Add support for custom AWS credential providers.
+
 - 2024-10-02: Add Kubernetes built-in OIDC provider integration.
 
 - 2024-08-19: Clarify Reauthentication and Speculative Authentication combination behavior.
diff --git a/source/auth/tests/mongodb-aws.md b/source/auth/tests/mongodb-aws.md
@@ -21,6 +21,11 @@ SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 Token=AQoDYXdzEJr...<remainder of security token>
 ```
 
+If the driver supports user provided custom AWS credential providers, then the driver MUST also test the above
+scenarios 2-6 with a user provided `AWS_CREDENTIAL_PROVIDER` auth mechanism property. This value MUST be the default
+credential provider from the AWS SDK. If the default provider does not cover all scenarios above, those not
+convered MAY be skipped.
+
 ## Regular credentials
 
 Drivers MUST be able to authenticate by providing a valid access key id and secret access key pair as the username and
