Amazon DocumentDB

Last modified on August 10, 2022

This guide explains how to add Amazon DocumentDB, a MongoDB-compatible document database, as a resource in strongDM.

Limitations

  • The DocumentDB Datasource supports username/password authentication. It does not support IAM or AWS Directory Service authentication.
  • DocumentDB requires TLS to connect.
  • DocumentDB does not support connection using service (SRV) records.
  • When creating a DocumentDB (replica set mode) resource, the Hostname field must be set with the hostnames and ports of all instances in the replica set separated by commas (e.g., primary0:27017,replica1:27017,replica2:27017).
  • AWS Directory Service integration is not supported.

Configuration Properties

strongDM offers two DocumentDB Datasource types: DocumentDB (replica set mode), for connecting to specified replica instances in your cluster; and DocumentDB (single host mode), for connecting to only the primary instance in your cluster.

To configure DocumentDB in either replica set mode or single host mode, first see our main guide, Add a Datasource, for general information on adding a Datasource in the Admin UI. Then set the properties for your selected DocumentDB type.

DocumentDB (replica set)

Add Datasource Dialog for Amazon DocumentDB (replica set)
Add Datasource Dialog for Amazon DocumentDB (replica set)
  • Display Name (Required): Enter a meaningful name for this resource. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).
  • Datasource Type (Required): Select DocumentDB (replica set).
  • Hostname (Required): Enter the hostnames and ports of all instances in the replica set. The host addresses and ports of all replica instances must be separated by commas (e.g., primary0:27017,replica1:27017,replica2:27017).
  • Port Override: After you click create, the port override will be filled in with a port between 1024-59999 that is not in use by another resource. You can change the port override later in Settings > Port Overrides.
  • Authentication Database (Required): Enter the name of the DocumentDB authentication database (e.g., “admin”).
  • Secret Store: This field lets you specify where the credentials for this Resource are stored (i.e., strongDM, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, etc.). This field is only displayed if Secret Store integration is configured in the Admin UI. The default Secret Store type is strongDM. Selecting any other Secret Store type causes properties unique to that Secret Store to appear, such as Username (path), Password (path), and so forth. For more detailed information about path to the secrets you’ve stored in a particular Secret Store, see the Secret Store integration configuration guide for the one you are using.
  • Username (Required): This field is shown when Secret Store integration is not configured for your organization, or when it is and strongDM is the selected Secret Store type. Enter the username (e.g., administrator@example.com) used for authentication to DocumentDB.
  • Username (path) (Required): If Secret Store integration is configured for your organization and you selected a Secret Store type that is not strongDM, enter the path to the secret in your Secret Store (e.g., path/to/credential?key=optionalKeyName). The key argument is optional.
  • Password (Required): This field is shown when Secret Store integration is not configured for your organization, or when it is and strongDM is the selected Secret Store type. Enter the password used for authentication to DocumentDB.
  • Password (path) (Required): If Secret Store integration is configured for your organization and you selected a Secret Store type that is not strongDM, enter the path to the secret in your Secret Store (e.g., path/to/credential?key=optionalKeyName). The key argument is optional.
  • Replica Set (Required): Enter the name of the DocumentDB replica instance.
  • Connect to Replica? (Optional): When this option is selected, strongDM will connect to a read-only replica instance instead of the primary instance.
  • Resource Tags (Optional): Assign tags to this Datasource by entering key-value pairs in the format <KEY>=<VALUE> (e.g., env=dev, region=east, etc.).

DocumentDB (single host)

Add Datasource Dialog for Amazon DocumentDB (single host)
Add Datasource Dialog for Amazon DocumentDB (single host)
  • Display Name (Required): Enter a meaningful name for this resource. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).
  • Datasource Type (Required): Select DocumentDB (single host).
  • Hostname (Required): Enter the instance endpoint for your DocumentDB cluster (e.g., sample-instance.123456789012.us-east-1.docdb.amazonaws.com).
  • Port (Required): The default port is 27017.
  • Port Override: After you click create, the port override will be filled in with a port between 1024-59999 that is not in use by another resource. You can change the port override later in Settings > Port Overrides.
  • Authentication Database (Required): Enter the name of the DocumentDB authentication database (e.g., “admin”).
  • Secret Store: This field lets you specify where the credentials for this Resource are stored (i.e., strongDM, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, etc.). This field is only displayed if Secret Store integration is configured in the Admin UI. The default Secret Store type is strongDM. Selecting any other Secret Store type causes properties unique to that Secret Store to appear, such as Username (path), Password (path), and so forth.
  • Username (Required): This field is shown when Secret Store integration is not configured for your organization, or when it is and strongDM is the selected Secret Store type. Enter the username (e.g., administrator@example.com) used for authentication to DocumentDB.
  • Username (path) (Required): If Secret Store integration is configured for your organization and you selected a Secret Store type that is not strongDM, enter the path to the secret in your Secret Store (e.g., path/to/credential?key=optionalKeyName). The key argument is optional.
  • Password (Required): This field is shown when Secret Store integration is not configured for your organization, or when it is and strongDM is the selected Secret Store type. Enter the password used for authentication to DocumentDB.
  • Password (path) (Required): If Secret Store integration is configured for your organization and you selected a Secret Store type that is not strongDM, enter the path to the secret in your Secret Store (e.g., path/to/credential?key=optionalKeyName). The key argument is optional.
  • Replica Set (Required): Enter the name of the DocumentDB replica instance.
  • Connect to Replica? (Optional): When this option is selected, strongDM will connect to a read-only replica instance instead of the primary instance.
  • Resource Tags (Optional): Assign tags to this Datasource by entering key-value pairs in the format <KEY>=<VALUE> (e.g., env=dev, region=east, etc.).

Test the Connection

After you have created the DocumentDB Datasource, you can use the MongoDB Shell to test the connection to DocumentDB.

  1. Run the following command to connect to the instance running on your localhost:
    mongosh "mongodb://localhost:<PORT>/admin"

    Example:
    mongosh "mongodb://localhost:37018/admin"

  2. Once connected, execute the following command to see the databases:
    show dbs

If any errors occur, please copy them into an email and send them to support@strongdm.com.

Top