Problem Statement
I am currently attempting to establish a connection with MongoDB using the IAM Role as described here . The problem statement is that I am unsure of the process required to ensure the connection works from an AWS perspective using Lambda.
Background info
I've created an IAM Role using AWS SAM.
MongoDBReadWriteAccess:
Type: AWS::IAM::Role
Properties:
RoleName: MongoDBReadWriteAccess
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::<atlast aws account ID>:root
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: <external ID>
I attempt to retrieve the keys from the env variables in my application logic
aws_access_key_id = os.getenv("AWS_ACCESS_KEY_ID")
aws_secret_access_key = os.getenv("AWS_SECRET_ACCESS_KEY")
aws_session_token = os.getenv("AWS_SESSION_TOKEN")
I create the connection
url_connection = f"mongodb+srv://{access_key_URI}:{secret_key_URI}@{server_name}.ozmat.mongodb.net/?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:{session_token_URI}"
However the role that I created isn't the assumed role at execution time.
OperationFailure: bad auth : user arn:aws:sts::<id>:assumed-role/<incorrect_role_name>/* is not found, full error: {'ok': 0, 'errmsg': 'bad auth : user arn:aws:sts::<id>:assumed-role/<incorrect_role_name> is not found', 'code': 8000, 'codeName': 'AtlasError'}
Traceback (most recent call last):
I've attempted to assign the role using SAM
StepPlanCRUD:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
PackageType: Image
Architectures:
- x86_64
Role: !GetAtt MongoDBReadWriteAccess.Arn
but I get the following error on deploy:
"The role defined for the function cannot be assumed by Lambda. (Service: Lambda, Status Code: 400, ...
Please can somebody detail the steps required in order to allow connectivity between Lambda and Atlas from an AWS perspective?
First assign policy for lambda that allows to assume MongoDBAtlas role that you have created
Eg
PolicyName: AssumeMongoDBReadWriteAccessRole
PolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Resource:
Fn::GetAtt:
- MongoDBReadWriteAccess
- Arn
Version: 2012-10-17
Then, inside lambda code, use AWS CLI command aws sts assume-role
to assume that role and retrieve keys (AccessKeyID, SecretAccessKey, SessionToken). Now you can use them to open a connection.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.