Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-6478

MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token

    • Type: Icon: Bug Bug
    • Resolution: Gone away
    • Priority: Icon: Major - P3 Major - P3
    • No version
    • Affects Version/s: 1.35.0
    • Component/s: Connectivity
    • None
    • Environment:
      Compass 1.35.0, up-to-date as of 2023-02-01.
    • Not Needed

      Problem Statement/Rationale

      This is a bug equivalent to IntelliJ/YouTrack bug DBE-17241 -  MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token.

      I'm interested in logging in to a MongoDB/Atlas instance using AWS IAM credentials, an authentication mechanism already available "raw" in Compass 1.35.0 (New Connection → Advanced Connection Options → Authentication → AWS IAM).

      However, the current implementation is "raw" and lacking from a security perspective, as it merely asks users to enter an AWS {accessKeyId, secretAccessKey, sessionToken}. What I expect instead from a Mongo + AWS IAM implementation (which I did myself for a system I maintain) is this:

      1. Initialize the AWS SDK, which reads AWS config (at ~/.aws/config)
      2. Present to the user an AWS MFA (Multi-Factor Authentication) challenge
      3. Make an aws-sdk call to AWS STS.AssumeRole
      4. Take the (MFA-protected!) call result, a Credentials object with {{{} { accessKeyId, secretAccessKey, sessionToken, expiration }

        {}}}, and build an IAM/Atlas Mongo connection string internally, by doing basic string formatting + URLEncoding.

      Seeing that Compass "supports" AWS IAM credentials, I was expecting the same: a password/token-copypasta-less experience, MFA-protected, and using shortly-expiring tokens, invisibly to the user!

      But instead, I see that all Compass does currently is to ask users for an {{

      { accessKeyId, secretAccessKey, sessionToken }}} ! Which means that Compass currently does none of the actual security-valuable job of bundling AWS' SDK in the Electron app and talking to AWS STS 😕. As far as I understand, Compass just supports the slightly different syntax of passing IAM secrets in the connection string. But that's not where the value is! The whole point of AWS IAM + config + MFA is to not have these secrets to copy-paste in the first place!

      Said differently, I was expecting that selecting AWS IAM creds would prompt me with a { AWS config, MFA challenge } form/flow, and not a {{{ accessKeyId, secretAccessKey, sessionToken }

      }} form!

      Final note: I'm trying to connect to an Atlas instance. So, a security-legit and viable-to-me-Atlas-customer alternative to improving your AWS IAM connection would be to support logging in with Atlas+MFA credentials.

      Does that make sense, or am I missing something? Thanks.

      Steps to Reproduce

      Try to connect to a MongoDB Atlas instance using Compass' AWS IAM authentication method.

      Expected Results

      Be prompted for an AWS config form, and an MFA challenge.

      Actual Results

      Compass requests I copy-paste and give it AWS { accessKeyId, secretAccessKey, sessionToken }, defeating the security benefits.

      Additional Notes

      Compass 1.35.0, up-to-date as of 2023-02-01.

            Assignee:
            julia.oppenheim@mongodb.com Julia Oppenheim
            Reporter:
            ronanj@unito.io Ronan Jouchet
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: