Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-1941

Add MONGODB-AWS Support for EKS Service Account Auth

    • Type: Icon: Spec Change Spec Change
    • Resolution: Duplicate
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Authentication
    • Needed

      Summary

      For the MONGODB-AWS authentication mechanism, provide native driver support for obtaining AWS credentials using the preferred method of assigning Kubernetes Service Accounts to workloads. Currently, the driver requires a manual STS token assume for EKS to happen outside of the driver. This is not only a usability issue but creates bugs with regard to the token lifetimes in failure scenarios.

      Relevant Section in Specification: Auth MONGODB-AWS Obtaining Credentials
      Affordances are already given for ECS, EC2, and Lambda runtimes. EKS is another key runtime that should be more fully supported.

      Motivation

      Who is the affected end user?

      AWS EKS users who are using the AWS IAM Passwordless Authentication for Atlas.

      How does this affect the end user?

      More code is required to authenticate outside of the driver for EKS. This involves rebuilding a connection string and creates special case code when deploying within EKS vs any other normal deployment. This increases configuration for end user apps and introduces places for bugs and misconfiguration.

      How likely is it that this problem or use case will occur?

      For any EKS users who would like to increase security by using AWS IAM roles to eliminate secrets, they will run into this issue.

      If the problem does occur, what are the consequences and how severe are they?

      Failure scenarios when a connection drops and a reconnection is initiated will fail due to an expired token. This can mean applications are required to crash and restart in order to obtain valid credentials, or complex error handling will need to be implemented.

      As far as the usability issue, the problem occurs for every user who needs to figure out how to accomplish this authentication. Manual STS token assumption is an additional burden placed on every user within EKS.

      Is this issue urgent?

      This issue is not urgent, but the problem is significant enough to deter usage of passwordless IAM authentication which would increase end user deployment security.

      Is this ticket required by a downstream team?

      No.

      Is this ticket only for tests?

      No.

            Assignee:
            Unassigned Unassigned
            Reporter:
            kevincent@tradestation.com Kekoa Vincent
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: