From a4b425d0cb445893ed653e9c0c3634731c8cc509 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Mon, 14 Nov 2022 12:13:56 -0600
Subject: [PATCH 1/4] PYTHON-2818 Add documentation and changelog

---
 doc/changelog.rst               |  7 ++++++-
 doc/examples/authentication.rst | 20 ++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/doc/changelog.rst b/doc/changelog.rst
index ebd796116e..bec2e8ba08 100644
--- a/doc/changelog.rst
+++ b/doc/changelog.rst
@@ -4,8 +4,13 @@ Changelog
 Changes in Version 4.3.3
 ------------------------
 
-Version 4.3.3 documents support for :ref:`CSFLE on-demand credentials` for cloud KMS providers, and fixes the following bugs:
+Version 4.3.3 documents support for the following:
 
+- :ref:`CSFLE on-demand credentials` for cloud KMS providers.
+- Authentication support for :ref:`EKS Clusters`.
+
+Bug Fixes
+.........
 - Fixed a performance regression in :meth:`~gridfs.GridFSBucket.download_to_stream`
   and :meth:`~gridfs.GridFSBucket.download_to_stream_by_name` by reading in chunks
   instead of line by line (`PYTHON-3502`_).
diff --git a/doc/examples/authentication.rst b/doc/examples/authentication.rst
index 862ac40db2..efd3a07e94 100644
--- a/doc/examples/authentication.rst
+++ b/doc/examples/authentication.rst
@@ -311,6 +311,10 @@ A sample URI would be::
 .. note:: The access_key_id, secret_access_key, and session_token passed into
           the URI MUST be `percent escaped`_.
 
+
+.. _percent escaped:
+
+
 AWS Lambda (Environment Variables)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -331,6 +335,22 @@ for the access key ID, secret access key, and session token, respectively::
           PyMongo will use credentials set via the environment variables.
           These environment variables MUST NOT be `percent escaped`_.
 
+
+.. _EKS Clusters:
+
+EKS Clusters
+~~~~~~~~~~~~
+
+Applications using the `Authenticating users for your cluster from an OpenID Connect identity provider <https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html>`_ capability on EKS can now
+use the provided credentials, by giving the associated IAM User
+ `sts:AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_ permission.
+
+When the username and password are not provided, the MONGODB-AWS mechanism
+is set, and ``AWS_WEB_IDENTITY_TOKEN_FILE``, ``AWS_ROLE_ARN``, and
+optional ``AWS_ROLE_SESSION_NAME`` are available, the driver will use
+an ``AssumeRoleWithWebIdentity`` call to retrieve temporary credentials.
+The application must be using ``pymongo_auth_aws`` >= 1.1.0 for EKS support.
+
 ECS Container
 ~~~~~~~~~~~~~
 

From f0c8901731895d24e978e47e493255e15c69b44f Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Mon, 14 Nov 2022 12:14:26 -0600
Subject: [PATCH 2/4] remove errant copy

---
 doc/examples/authentication.rst | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/doc/examples/authentication.rst b/doc/examples/authentication.rst
index efd3a07e94..1d460c0cc7 100644
--- a/doc/examples/authentication.rst
+++ b/doc/examples/authentication.rst
@@ -312,9 +312,6 @@ A sample URI would be::
           the URI MUST be `percent escaped`_.
 
 
-.. _percent escaped:
-
-
 AWS Lambda (Environment Variables)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

From 75f157fd5e9b65c2f5b333b418811842cfccdb4a Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Mon, 14 Nov 2022 12:17:43 -0600
Subject: [PATCH 3/4] formatting

---
 doc/examples/authentication.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/examples/authentication.rst b/doc/examples/authentication.rst
index 1d460c0cc7..a984d17fc0 100644
--- a/doc/examples/authentication.rst
+++ b/doc/examples/authentication.rst
@@ -340,7 +340,8 @@ EKS Clusters
 
 Applications using the `Authenticating users for your cluster from an OpenID Connect identity provider <https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html>`_ capability on EKS can now
 use the provided credentials, by giving the associated IAM User
- `sts:AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_ permission.
+`sts:AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_
+permission.
 
 When the username and password are not provided, the MONGODB-AWS mechanism
 is set, and ``AWS_WEB_IDENTITY_TOKEN_FILE``, ``AWS_ROLE_ARN``, and

From da67b28acfb64b2faeca8aab85301e9393b94937 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Mon, 14 Nov 2022 14:17:33 -0600
Subject: [PATCH 4/4] address review

---
 doc/changelog.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/changelog.rst b/doc/changelog.rst
index bec2e8ba08..89d3f2fdde 100644
--- a/doc/changelog.rst
+++ b/doc/changelog.rst
@@ -8,6 +8,8 @@ Version 4.3.3 documents support for the following:
 
 - :ref:`CSFLE on-demand credentials` for cloud KMS providers.
 - Authentication support for :ref:`EKS Clusters`.
+- Added the :ref:`timeout-example` example page to improve the documentation
+  for :func:`pymongo.timeout`.
 
 Bug Fixes
 .........
@@ -16,8 +18,6 @@ Bug Fixes
   instead of line by line (`PYTHON-3502`_).
 - Improved performance of :meth:`gridfs.grid_file.GridOut.read` and
   :meth:`gridfs.grid_file.GridOut.readline` (`PYTHON-3508`_).
-- Added the :ref:`timeout-example` example page to improve the documentation
-  for :func:`pymongo.timeout`.
 
 Issues Resolved
 ...............