File tree Expand file tree Collapse file tree 2 files changed +18
-12
lines changed Expand file tree Collapse file tree 2 files changed +18
-12
lines changed Original file line number Diff line number Diff line change @@ -959,6 +959,10 @@ Examples are provided below.
959959
960960 Drivers MUST allow the user to specify an AWS session token for authentication with temporary credentials.
961961
962+ - AWS_CREDENTIAL_PROVIDER
963+
964+ Drivers MAY allow the user to specify a custom credential provider object or function.
965+
962966#### Obtaining Credentials
963967
964968Drivers will need AWS IAM credentials (an access key, a secret access key and optionally a session token) to complete
@@ -1005,9 +1009,9 @@ Drivers MAY expose API for default providers for the following scenarios when ap
10051009
10061010The order in which Drivers MUST search for credentials is:
10071011
1008- 1. The URI
1009- 2. Environment variables
1010- 3. A custom AWS credential provider if the driver supports it.
1012+ 1. A custom AWS credential provider if the driver supports it.
1013+ 2. The URI
1014+ 3. Environment variables
101110154. Using ` AssumeRoleWithWebIdentity` if ` AWS_WEB_IDENTITY_TOKEN_FILE` ` AWS_ROLE_ARN`
101210165. The ECS endpoint if ` AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` set . Otherwise , the EC2 endpoint.
10131017
Original file line number Diff line number Diff line change @@ -21,15 +21,17 @@ SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
2121Token=AQoDYXdzEJr...<remainder of security token>
2222```
2323
24- If the driver supports user provided custom AWS credential providers, then the driver MUST also test the above scenarios
25- 2-6 with a user provided ` AWS_CREDENTIAL_PROVIDER ` auth mechanism property. This value MUST be the default credential
26- provider from the AWS SDK. If the default provider does not cover all scenarios above, those not covered MAY be skipped.
27- In these tests the driver MUST also assert that the user provided credential provider was called at least once in each
28- test.
29-
30- If the driver supports a custom AWS credential provider, it MUST verify the custom provider was used when testing. This
31- may be via a custom function or object that wraps the calls to the custom provider and asserts that it was called at
32- least once.
24+ ## Testing custom credential providers
25+
26+ If the driver supports custom AWS credential providers, the driver MUST test the following:
27+
28+ Scenarios 1-6 from the previous section with a user provided ` AWS_CREDENTIAL_PROVIDER ` auth mechanism property. This
29+ value MAY be the default credential provider from the AWS SDK. If the default provider does not cover all scenarios
30+ above, those not covered MAY be skipped. In these tests the driver MUST also assert that the user provided credential
31+ provider was called in each test. This may be via a custom function or object that wraps the calls to the custom
32+ provider and asserts that it was called at least once. For test scenarios where the drivers tools scripts put the
33+ credentials in the MONGODB_URI, drivers MAY extract the credentials from the URI and return the AWS credentials directly
34+ from the custom provider instead of using the AWS SDK default provider.
3335
3436## Regular credentials
3537
You can’t perform that action at this time.
0 commit comments