Skip to content

Commit 7fb8cf8

Browse files
durrandurran
committed
chore: comments
1 parent 922e3b1 commit 7fb8cf8

File tree

1 file changed

+23
-1
lines changed

1 file changed

+23
-1
lines changed

source/auth/tests/mongodb-aws.md

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
Drivers MUST test the following scenarios:
44

5-
1. `Regular Credentials`: Auth via an `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` pair
5+
1. `Regular Credentials`: Auth via an `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` pair
66
2. `EC2 Credentials`: Auth from an EC2 instance via temporary credentials assigned to the machine
77
3. `ECS Credentials`: Auth from an ECS instance via temporary credentials assigned to the task
88
4. `Assume Role`: Auth via temporary credentials obtained from an STS AssumeRole request
@@ -25,6 +25,8 @@ Token=AQoDYXdzEJr...<remainder of security token>
2525

2626
If the driver supports custom AWS credential providers, the driver MUST test the following:
2727

28+
### Custom Credential Provider Authenticates
29+
2830
Scenarios 1-6 from the previous section with a user provided `AWS_CREDENTIAL_PROVIDER` auth mechanism property. This
2931
credentials MAY be obtained from the default credential provider from the AWS SDK. If the default provider does not cover all scenarios
3032
above, those not covered MAY be skipped. In these tests the driver MUST also assert that the user provided credential
@@ -33,6 +35,26 @@ provider and asserts that it was called at least once. For test scenarios where
3335
credentials in the MONGODB_URI, drivers MAY extract the credentials from the URI and return the AWS credentials directly
3436
from the custom provider instead of using the AWS SDK default provider.
3537

38+
### Custom Credential Provider Authentication Precedence
39+
40+
#### Case 1: Credentials in URI Take Precedence
41+
42+
Create a `MongoClient` configured with AWS auth and credentials in the URI. Example: `mongodb://<AccessKeyId>:<SecretAccessKey>@localhost:27017/?authMechanism=MONGODB-AWS`
43+
44+
Configure a custom credential provider to pass valid AWS credentials. The provider must track if it was called.
45+
46+
Expect authentication to succeed and the custom credential provider was *not* called.
47+
48+
#### Case 2: Custom Provider Takes Precedence Over Environment Variables
49+
50+
Run this test in an environment with AWS credentials configured as environment variables (e.g. `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`)
51+
52+
Create a `MongoClient` configured to use AWS auth. Example: `mongodb://localhost:27017/?authMechanism=MONGODB-AWS`.
53+
54+
Configure a custom credential provider to pass valid AWS credentials. The provider must track if it was called.
55+
56+
Expect authentication to succeed and the custom credential provider was called.
57+
3658
## Regular credentials
3759

3860
Drivers MUST be able to authenticate by providing a valid access key id and secret access key pair as the username and

0 commit comments

Comments
 (0)