I’m pretty new to working with NPM tools and could use some help. I’ve been trying to figure out if the migrate-mongo package can work with AWS IAM auth for DocumentDB connections.
I managed to get my main application connected to DocumentDB using IAM authentication and it works fine. The app backend connects without issues using the proper auth mechanism.
The problem comes when I try to use migrate-mongo for database migrations. This tool is really useful for applying and rolling back schema changes with up and down commands.
When I run the migration tool, I get this error:
“ERROR: Command authenticate not supported on $external database. MongoServerError: Command Authenticate not supported on $external”
Looking at the logs, it seems like the tool is trying to use X509 authentication instead of the AWS IAM method I need.
Since migrate-mongo uses the MongoDB Node.js driver underneath, I’m wondering if I can just modify the config file to use:
authMechanism: MONGODB-AWS
authSource: $external
This is the same setup that works for my main app. Has anyone gotten this combination to work? I haven’t found much documentation about using IAM auth with this migration tool.
yeah, migrate-mongo works with MONGODB-AWS auth, but documentdb’s tricky. your config looks good - just make sure you’re on migrate-mongo v9+ and add retryWrites=false to your connection string. documentdb doesn’t handle retryable writes, which causes random auth failures even with correct credentials.
Had this exact problem migrating from Atlas to DocumentDB last year. The auth error happens because migrate-mongo’s default config doesn’t handle AWS IAM properly. You’re on the right track with authMechanism and authSource, but there’s another piece that gets missed a lot. Make sure you’re running migrate-mongo 8.2.0 or higher - earlier versions had buggy MONGODB-AWS support. For the config file, your AWS credentials need to be available in the environment where you run migrations. I found using an EC2 instance with an IAM role way more reliable than passing credentials manually. Your connection options need ssl: true and sslValidate: false for DocumentDB specifically. One heads up - test your migrations thoroughly in dev first. DocumentDB has some subtle differences from regular MongoDB that can cause weird behavior during schema changes.
Had the exact same problem about six months ago with migrate-mongo and DocumentDB. That auth error’s super common - the tool just defaults to regular MongoDB auth. Here’s what fixed it for me: update your migrate-mongo-config.js to set authMechanism to ‘MONGODB-AWS’ and authSource to ‘$external’ like you mentioned. But the tricky part I spent forever figuring out was getting the connection string format right for DocumentDB. Double-check you’re using the proper DocumentDB endpoint format and your AWS credentials are set up correctly in your environment or through IAM roles. The migrate-mongo tool should grab the same AWS credential chain your main app uses. One gotcha though - check the version compatibility between migrate-mongo and whatever MongoDB driver version it’s running. I had to upgrade to a newer migrate-mongo version that actually supported MONGODB-AWS auth properly.