mongodb://bard:<passwrd>@docdb-2022-06-13-02-18-07.cluster-c6wqayu9kx2t.ap-northeast-2.docdb.amazonaws.com:27017/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0&retryWrites=false

I want to link AWS DocumentDB.
I want help.

Selected Answer
denolfe
last year
Hey @prove-ability, this error indicates that you are not passing the pem file contents into the Mongo options. You will need to have your .pem file locally and pass the contents into payload.init under mongoOptions. Here is an (untested) example:
```
const caContent = fs.readFileSync('/path/to/rds-combined-ca-bundle.pem');

payload.init({
  // ..
  mongoOptions: {
    sslCA: caContent,
  },
});
```
Let me know if that gets you any further.

Here are some links to SO issues that may be useful as well: link, link
5 replies

prove-abilitylast year

The method that I told you didn't work.

So I tried to proceed after watching AWS DOCS, but this also doesn't work.

Do you have any idea?

// Initialize Payload
payload.init({

  secret: process.env.PAYLOAD_SECRET,
  mongoURL: process.env.MONGODB_URI,
  express: app,
  onInit: () => {
    payload.logger.info(`Payload Admin URL: ${payload.getAdminURL()}`)
  },
  mongoOptions: {
    tlsCAFile: `${__dirname}/rds-combined-ca-bundle.pem`
    // ssl: true,
    // sslValidate: false,
    // sslCA: `${__dirname}/rds-combined-ca-bundle.pem`
  }
})

x31blast year
hello @prove-ability

Besides the SSL-issue, do you think DocumentDB's MongoDB API compatibility sufficient for PayloadCMS purposes?
jmikrut
last year
@x31b — yes, you should be able to 100% use DocumentDB!
x31blast year
Awesome. Thanks @jmikrut
denolfe
10 months ago
Also worth looking at @hdodov 's comment below as well: #652 (comment)
moltarlast year
@prove-ability Have you gotten the DocumentDB to work?
PukpikC12 months ago
Hello @jmikrut ,
I setup payload on aws but got this error when add data "You are not allowed to perform this action"

i tried set mongoOptions up as in suggestions above but it still not working

related error

Do you have Ideas why,
Thank you ^^
4 replies
DanRibbens
12 months ago
If you're getting as far as you are in these screenshots, like being able to login, then your issue isn't the database configuration. It has to be your access control or a cors issue. To verify, do you still get the same errors when using MongoDB instead of DocumentDB? I'm assuming that you would.

@PukpikC I would open a new Q&A discussion if you want troubleshooting help and include some of your config and steps to reproduce.
PukpikC12 months ago
@DanRibbens Thank you for your answer, ah yes everything works fine on my local using mongoDB. and it would be really nice for new Q&A discussion. 😃
DanRibbens
12 months ago
I can't understand how only changing the database connection would make this happen. Your other requests would be failing before these if it was the DB. I still think there is something else going on.
PukpikC12 months ago
@DanRibbens Hi, Than you for helping, I found a problem, it was about access control. I have to set it correctly to make it work on live :D
hdodov10 months ago
I'm going to chime in with how I managed to connect to AWS DocumentDB locally.

As stated in the AWS docs about "Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC", you need to use SSH tunneling (port forwarding). Here's the command that creates a tunnel:
```
ssh -i /Users/path/to/ssh-private-key -L 27017:your-cluster.cluster-id.eu-central-1.docdb.amazonaws.com:27017 ec2-user@ec2-12-345-678-90.eu-central-1.compute.amazonaws.com -N
```
Then, your MONGODB_URI connection string must look like:
```
mongodb://dbuser:dbpassword@localhost:27017/?tls=true&tlsCAFile=eu-central-1-bundle.pem&tlsInsecure=true&directConnection=true&retryWrites=false
```
Couple of things to note:
- eu-central-1-bundle.pem can be downloaded from the AWS docs on "Using SSL/TLS to encrypt a connection to a DB instance" and put in the root directory of the project.
- tlsInsecure=true is needed because due to the SSH tunneling, you're actually connecting to localhost and you would receive the following error regarding the TLS certificate:
  
  Error: cannot connect to MongoDB. Details: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:your-cluster.cluster-id.eu-central-1.docdb.amazonaws.com, DNS:your-cluster.cluster-cluster-id.eu-central-1.docdb.amazonaws.com, DNS:your-cluster.cluster-ro-cluster-id.eu-central-1.docdb.amazonaws.com
- directConnection=true must be added, as mentioned in this Mongoose issue. Quoting the MongoDB Go Driver docs:
  
  If set to true, the driver will only connect to the host provided in the URI and will not discover other hosts in the cluster.
  
  My guess is that this is needed because otherwise the SSH tunnel is messing with that "host discovery".
- retryWrites=false is needed because otherwise you get:
  
  MongoServerError: Retryable writes are not supported
At this point, you should have localhost:27017 forwarding the connection to your-cluster.cluster-id.eu-central-1.docdb.amazonaws.com:27017 using a tunnel through your EC2 instance ec2-12-345-678-90.eu-central-1.compute.amazonaws.com via ec2-user after authenticating with your EC2 SSH private key /Users/path/to/ssh-private-key.

Before using DocumentDB, I was using Atlas, and the only change in my code I had to make (besides the MongoDB connection string in .env) was to disable the useFacet setting:
```
await payload.init({
	secret: process.env.PAYLOAD_SECRET,
	mongoURL: process.env.MONGODB_URI,
	express: app,
+	mongoOptions: {
+		useFacet: false,
+	},
});
```