Can I use AWS DocumentDB instead of MongoDB?

prove-ability

last year

2 4

• Selected Answer
  

  denolfe

  Payload Team

  last year

  Hey @prove-ability, this error indicates that you are not passing the pem file contents into the Mongo options. You will need to have your .pem file locally and pass the contents into payload.init under mongoOptions. Here is an (untested) example:

  const caContent = fs.readFileSync('/path/to/rds-combined-ca-bundle.pem');
  
  payload.init({
    // ..
    mongoOptions: {
      sslCA: caContent,
    },
  });

  Let me know if that gets you any further.

  Here are some links to SO issues that may be useful as well: link, link

  5 replies
• 

  prove-ability

  last year

  The method that I told you didn't work.

  So I tried to proceed after watching AWS DOCS, but this also doesn't work.

  Do you have any idea?

  // Initialize Payload
  payload.init({
  
    secret: process.env.PAYLOAD_SECRET,
    mongoURL: process.env.MONGODB_URI,
    express: app,
    onInit: () => {
      payload.logger.info(`Payload Admin URL: ${payload.getAdminURL()}`)
    },
    mongoOptions: {
      tlsCAFile: `${__dirname}/rds-combined-ca-bundle.pem`
      // ssl: true,
      // sslValidate: false,
      // sslCA: `${__dirname}/rds-combined-ca-bundle.pem`
    }
  })

• 

  x31b

  last year

  hello @prove-ability

  Besides the SSL-issue, do you think DocumentDB's MongoDB API compatibility sufficient for PayloadCMS purposes?

• 

  jmikrut

  Payload Team

  last year

  @x31b — yes, you should be able to 100% use DocumentDB!

• 

  x31b

  last year

  Awesome. Thanks @jmikrut

• 

  denolfe

  Payload Team

  2 months ago

  Also worth looking at @hdodov 's comment below as well: #652 (comment)

• 

  moltar

  9 months ago

  @prove-ability Have you gotten the DocumentDB to work?

• 

  PukpikC

  5 months ago

  Hello @jmikrut ,
  I setup payload on aws but got this error when add data "You are not allowed to perform this action"
  

  i tried set mongoOptions up as in suggestions above but it still not working

  related error
  

  Do you have Ideas why,
  Thank you ^^

  4 replies
  

  DanRibbens

  Payload Team

  5 months ago

  If you're getting as far as you are in these screenshots, like being able to login, then your issue isn't the database configuration. It has to be your access control or a cors issue. To verify, do you still get the same errors when using MongoDB instead of DocumentDB? I'm assuming that you would.

  @PukpikC I would open a new Q&A discussion if you want troubleshooting help and include some of your config and steps to reproduce.

  

  PukpikC

  5 months ago

  @DanRibbens Thank you for your answer, ah yes everything works fine on my local using mongoDB. and it would be really nice for new Q&A discussion. 😃

  

  DanRibbens

  Payload Team

  5 months ago

  I can't understand how only changing the database connection would make this happen. Your other requests would be failing before these if it was the DB. I still think there is something else going on.

  

  PukpikC

  5 months ago

  @DanRibbens Hi, Than you for helping, I found a problem, it was about access control. I have to set it correctly to make it work on live :D

• 

  hdodov

  2 months ago

  I'm going to chime in with how I managed to connect to AWS DocumentDB locally.

  As stated in the AWS docs about "Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC", you need to use SSH tunneling (port forwarding). Here's the command that creates a tunnel:

  ssh -i /Users/path/to/ssh-private-key -L 27017:your-cluster.cluster-id.eu-central-1.docdb.amazonaws.com:27017 ec2-user@ec2-12-345-678-90.eu-central-1.compute.amazonaws.com -N

  Then, your MONGODB_URI connection string must look like:

  mongodb://dbuser:dbpassword@localhost:27017/?tls=true&tlsCAFile=eu-central-1-bundle.pem&tlsInsecure=true&directConnection=true&retryWrites=false
  

  Couple of things to note:

  • eu-central-1-bundle.pem can be downloaded from the AWS docs on "Using SSL/TLS to encrypt a connection to a DB instance" and put in the root directory of the project.

  • tlsInsecure=true is needed because due to the SSH tunneling, you're actually connecting to localhost and you would receive the following error regarding the TLS certificate:

    Error: cannot connect to MongoDB. Details: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:your-cluster.cluster-id.eu-central-1.docdb.amazonaws.com, DNS:your-cluster.cluster-cluster-id.eu-central-1.docdb.amazonaws.com, DNS:your-cluster.cluster-ro-cluster-id.eu-central-1.docdb.amazonaws.com

  • directConnection=true must be added, as mentioned in this Mongoose issue. Quoting the MongoDB Go Driver docs:

    If set to true, the driver will only connect to the host provided in the URI and will not discover other hosts in the cluster.

    My guess is that this is needed because otherwise the SSH tunnel is messing with that "host discovery".

  • retryWrites=false is needed because otherwise you get:

    MongoServerError: Retryable writes are not supported

  At this point, you should have localhost:27017 forwarding the connection to your-cluster.cluster-id.eu-central-1.docdb.amazonaws.com:27017 using a tunnel through your EC2 instance ec2-12-345-678-90.eu-central-1.compute.amazonaws.com via ec2-user after authenticating with your EC2 SSH private key /Users/path/to/ssh-private-key.

  ---

  Before using DocumentDB, I was using Atlas, and the only change in my code I had to make (besides the MongoDB connection string in .env) was to disable the useFacet setting:

  await payload.init({
  	secret: process.env.PAYLOAD_SECRET,
  	mongoURL: process.env.MONGODB_URI,
  	express: app,
  +	mongoOptions: {
  +		useFacet: false,
  +	},
  });