Secure Your Data (original) (raw)

MongoDB supports multiple mechanisms that you can use to authenticate your application. This page contains code examples that demonstrate each of these mechanisms.

Tip

To use an authentication example from this page, copy the code example into thesample application or your own application. Be sure to replace all placeholders in the code examples, such as <hostname>, with the relevant values for your MongoDB deployment.

You can use the following sample application to test the code examples on this page. To use the sample application, perform the following steps:

  1. Ensure you have the C++ driver installed in a location from which your project can import it.
  2. Copy the following code and paste it into a new .cpp file within your project.
  3. Copy a code example from this page and paste it within the highlighted section of the file.

1

#include <bsoncxx/json.hpp>

2

3

#include <mongocxx/client.hpp>

4

#include <mongocxx/exception/exception.hpp>

5

#include <mongocxx/instance.hpp>

6

#include <mongocxx/uri.hpp>

7

8

#include <iostream>

9

10

int main()

11

{

12

    mongocxx::instance instance;

13

14

    try

15

    {

16

        // Start example code here

17

18

        // End example code here

19

20

        auto admin = client["admin"];

21

        admin.run_command(bsoncxx::from_json(R"({ "ping": 1 })"));

22

23

        std::cout << "Successfully pinged the MongoDB server." << std::endl;

24

    }

25

    catch (const mongocxx::exception &e)

26

    {

27

        std::cout << "An exception occurred: " << e.what() << std::endl;

28

        return EXIT_FAILURE;

29

    }

30

31

    return EXIT_SUCCESS;

32

}

The following code shows how to create a connection URI to authenticate by using the SCRAM-SHA-256 authentication mechanism:


auto uri = mongocxx::uri("mongodb://<db_username>:<db_password>@<hostname>:<port>/?"

                         "authSource=admin&authMechanism=SCRAM-SHA-256");

auto client = mongocxx::client(uri);

To learn more about SCRAM-SHA-256 authentication, see SCRAM-SHA-256 in the Authentication guide.

The following code shows how to create a connection URI to authenticate by using the SCRAM-SHA-1 authentication mechanism:


auto uri = mongocxx::uri("mongodb://<db_username>:<db_password>@<hostname>:<port>/?"

                         "authSource=admin&authMechanism=SCRAM-SHA-1");

auto client = mongocxx::client(uri);

To learn more about SCRAM-SHA-1 authentication, see SCRAM-SHA-1 in the Authentication guide.

The following code shows how to create a connection URI to authenticate by using the X.509 authentication mechanism:


auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"

                         "tls=true&tlsCertificateKeyFile=path/to/client.pem&authMechanism=MONGODB-X509");

auto client = mongocxx::client(uri);

To learn more about X.509 authentication, see MONGODB X.509 in the Authentication guide.

The following sections show how to connect to MongoDB by using the MONGODB-AWSauthentication mechanism. When you use the MONGODB-AWS mechanism, the C++ driver attempts to retrieve your AWS credentials from the following sources, in the order listed:

  1. Named parameters passed to the Connection URI
  2. Environment variables
  3. AWS EKS AssumeRoleWithWebIdentity request
  4. ECS container metadata
  5. EC2 instance metadata

Each section shows how to create the connection URI to authenticate withMONGODB-AWS when retrieving your AWS credentials from the specified source.

To learn more about authenticating with AWS, seeMONGODB-AWS in the Authentication guide.

The following code shows how to create a connection URI that includes AWS credentials to authenticate with MONGODB-AWS:


auto uri = mongocxx::uri("mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?"

                         "authMechanism=MONGODB-AWS");

auto client = mongocxx::client(uri);

The following code shows how to create a connection URI to authenticate with MONGODB-AWS when obtaining credentials from environment variables. Ensure you have your environment variables specified before running this code.


auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"

                         "authMechanism=MONGODB-AWS");

auto client = mongocxx::client(uri);

To learn more about authenticating with AWS by using environment variables, see Environment Variables.

The following code shows how to create a connection URI to authenticate with MONGODB-AWS when obtaining credentials from anAssumeRoleWithWebIdentity request. Ensure that an AWS config file exists in your environment and is configured with the AWS_WEB_IDENTITY_TOKEN_FILEand AWS_ROLE_ARN environment variables.


auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"

                         "authMechanism=MONGODB-AWS");

auto client = mongocxx::client(uri);

To learn more about authenticating with AWS by using anAssumeRoleWithWebIdentity request, see AssumeRoleWithWebIdentity Request.

The following code shows how to create a connection URI to authenticate with MONGODB-AWS when obtaining credentials from ECS metadata. Ensure that you specify the URI of the ECS endpoint in an environment variable calledAWS_CONTAINER_CREDENTIALS_RELATIVE_URI.


auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"

                         "authMechanism=MONGODB-AWS");

auto client = mongocxx::client(uri);

To learn more about authenticating with AWS by using ECS metadata, see ECS Metadata.

The following code shows how to create a connection URI to authenticate with MONGODB-AWS when obtaining credentials from EC2 instance metadata. Ensure that you configure your EC2 instance with your temporary credentials.


auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"

                         "authMechanism=MONGODB-AWS");

auto client = mongocxx::client(uri);

To learn more about authenticating with AWS by using EC2 instance metadata, see EC2 Instance Metadata.

Note

MongoDB Enterprise Only

Kerberos authentication is available only in MongoDB Enterprise.

The following code shows how to create a connection URI to authenticate with Kerberos:


auto uri = mongocxx::uri("mongodb://<Kerberos principal>@<hostname>:<port>/?"

                         "authMechanism=GSSAPI"

                         "&authMechanismProperties=SERVICE_NAME:<authentication service name>");

auto client = mongocxx::client(uri);

To learn more about authenticating with Kerberos, seeKerberos in the Enterprise Authentication guide.

Note

MongoDB Enterprise Only

PLAIN SASL authentication is available only in MongoDB Enterprise.

The following code shows how to create a connection URI to authenticate with PLAIN SASL:


auto uri = mongocxx::uri("mongodb://<db_username>:<db_password>@<hostname>:<port>/?"

                         "authMechanism=PLAIN&tls=true");

auto client = mongocxx::client(uri);

To learn more about authenticating with PLAIN SASL, seePLAIN SASL in the Enterprise Authentication guide.