Docs Menu
Docs Home
/
Languages
/
C++
/
C++ Driver

Secure Your Data

On this page

  • Overview
  • Sample Application
  • SCRAM-SHA-256
  • SCRAM-SHA-1
  • MONGODB X.509
  • MONGODB-AWS
  • Connection URI
  • Environment Variables
  • AssumeRoleWithWebIdentity Request
  • ECS Metadata
  • EC2 Instance Metadata
  • Kerberos
  • PLAIN SASL

Overview

MongoDB supports multiple mechanisms that you can use to authenticate your application. This page contains code examples that demonstrate each of these mechanisms.

Tip

To learn more about any of the authentication mechanisms on this page, see the Authentication Mechanisms and Enterprise Authentication Mechanisms pages.

To use an authentication example from this page, copy the code example into the sample application or your own application. Be sure to replace all placeholders in the code examples, such as <hostname>, with the relevant values for your MongoDB deployment.

Sample Application

You can use the following sample application to test the code examples on this page. To use the sample application, perform the following steps:

  1. Ensure you have the C++ driver installed in a location from which your project can import it.

  2. Copy the following code and paste it into a new .cpp file within your project.

  3. Copy a code example from this page and paste it within the highlighted section of the file.

1#include <bsoncxx/json.hpp>
2
3#include <mongocxx/client.hpp>
4#include <mongocxx/exception/exception.hpp>
5#include <mongocxx/instance.hpp>
6#include <mongocxx/uri.hpp>
7
8#include <iostream>
9
10int main()
11{
12    mongocxx::instance instance;
13
14    try
15    {
16        // Start example code here
17
18        // End example code here
19
20        auto admin = client["admin"];
21        admin.run_command(bsoncxx::from_json(R"({ "ping": 1 })"));
22
23        std::cout << "Successfully pinged the MongoDB server." << std::endl;
24    }
25    catch (const mongocxx::exception &e)
26    {
27        std::cout << "An exception occurred: " << e.what() << std::endl;
28        return EXIT_FAILURE;
29    }
30
31    return EXIT_SUCCESS;
32}

SCRAM-SHA-256

The following code shows how to create a connection URI to authenticate by using the SCRAM-SHA-256 authentication mechanism:

auto uri = mongocxx::uri("mongodb://<db_username>:<db_password>@<hostname>:<port>/?"
                         "authSource=admin&authMechanism=SCRAM-SHA-256");
auto client = mongocxx::client(uri);

To learn more about SCRAM-SHA-256 authentication, see SCRAM-SHA-256 in the Authentication guide.

SCRAM-SHA-1

The following code shows how to create a connection URI to authenticate by using the SCRAM-SHA-1 authentication mechanism:

auto uri = mongocxx::uri("mongodb://<db_username>:<db_password>@<hostname>:<port>/?"
                         "authSource=admin&authMechanism=SCRAM-SHA-1");
auto client = mongocxx::client(uri);

To learn more about SCRAM-SHA-1 authentication, see SCRAM-SHA-1 in the Authentication guide.

MONGODB X.509

The following code shows how to create a connection URI to authenticate by using the X.509 authentication mechanism:

auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"
                         "tls=true&tlsCertificateKeyFile=path/to/client.pem&authMechanism=MONGODB-X509");
auto client = mongocxx::client(uri);

To learn more about X.509 authentication, see MONGODB X.509 in the Authentication guide.

MONGODB-AWS

The following sections show how to connect to MongoDB by using the MONGODB-AWS authentication mechanism. When you use the MONGODB-AWS mechanism, the C++ driver attempts to retrieve your AWS credentials from the following sources, in the order listed:

  1. Named parameters passed to the Connection URI

  2. Environment variables

  3. AWS EKS AssumeRoleWithWebIdentity request

  4. ECS container metadata

  5. EC2 instance metadata

Each section shows how to create the connection URI to authenticate with MONGODB-AWS when retrieving your AWS credentials from the specified source.

To learn more about authenticating with AWS, see MONGODB-AWS in the Authentication guide.

Connection URI

The following code shows how to create a connection URI that includes AWS credentials to authenticate with MONGODB-AWS:

auto uri = mongocxx::uri("mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?"
                         "authMechanism=MONGODB-AWS");
auto client = mongocxx::client(uri);

Environment Variables

The following code shows how to create a connection URI to authenticate with MONGODB-AWS when obtaining credentials from environment variables. Ensure you have your environment variables specified before running this code.

auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"
                         "authMechanism=MONGODB-AWS");
auto client = mongocxx::client(uri);

To learn more about authenticating with AWS by using environment variables, see Environment Variables.

AssumeRoleWithWebIdentity Request

The following code shows how to create a connection URI to authenticate with MONGODB-AWS when obtaining credentials from an AssumeRoleWithWebIdentity request. Ensure that an AWS config file exists in your environment and is configured with the AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment variables.

auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"
                         "authMechanism=MONGODB-AWS");
auto client = mongocxx::client(uri);

To learn more about authenticating with AWS by using an AssumeRoleWithWebIdentity request, see AssumeRoleWithWebIdentity Request.

ECS Metadata

The following code shows how to create a connection URI to authenticate with MONGODB-AWS when obtaining credentials from ECS metadata. Ensure that you specify the URI of the ECS endpoint in an environment variable called AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.

auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"
                         "authMechanism=MONGODB-AWS");
auto client = mongocxx::client(uri);

To learn more about authenticating with AWS by using ECS metadata, see ECS Metadata.

EC2 Instance Metadata

The following code shows how to create a connection URI to authenticate with MONGODB-AWS when obtaining credentials from EC2 instance metadata. Ensure that you configure your EC2 instance with your temporary credentials.

auto uri = mongocxx::uri("mongodb://<hostname>:<port>/?"
                         "authMechanism=MONGODB-AWS");
auto client = mongocxx::client(uri);

To learn more about authenticating with AWS by using EC2 instance metadata, see EC2 Instance Metadata.

Kerberos

Note

MongoDB Enterprise Only

Kerberos authentication is available only in MongoDB Enterprise.

The following code shows how to create a connection URI to authenticate with Kerberos:

auto uri = mongocxx::uri("mongodb://<Kerberos principal>@<hostname>:<port>/?"
                         "authMechanism=GSSAPI"
                         "&authMechanismProperties=SERVICE_NAME:<authentication service name>");
auto client = mongocxx::client(uri);

To learn more about authenticating with Kerberos, see Kerberos in the Enterprise Authentication guide.

PLAIN SASL

Note

MongoDB Enterprise Only

PLAIN SASL authentication is available only in MongoDB Enterprise.

The following code shows how to create a connection URI to authenticate with PLAIN SASL:

auto uri = mongocxx::uri("mongodb://<db_username>:<db_password>@<hostname>:<port>/?"
                         "authMechanism=PLAIN&tls=true");
auto client = mongocxx::client(uri);

To learn more about authenticating with PLAIN SASL, see PLAIN SASL in the Enterprise Authentication guide.

Back

Aggregation

Next

Authentication