-
Type: Spec Change
-
Resolution: Duplicate
-
Priority: Unknown
-
None
-
Component/s: Authentication
-
Needed
Summary
For the MONGODB-AWS authentication mechanism, provide native driver support for obtaining AWS credentials using the preferred method of assigning Kubernetes Service Accounts to workloads. Currently, the driver requires a manual STS token assume for EKS to happen outside of the driver. This is not only a usability issue but creates bugs with regard to the token lifetimes in failure scenarios.
Relevant Section in Specification: Auth MONGODB-AWS Obtaining Credentials
Affordances are already given for ECS, EC2, and Lambda runtimes. EKS is another key runtime that should be more fully supported.
Motivation
Who is the affected end user?
AWS EKS users who are using the AWS IAM Passwordless Authentication for Atlas.
How does this affect the end user?
More code is required to authenticate outside of the driver for EKS. This involves rebuilding a connection string and creates special case code when deploying within EKS vs any other normal deployment. This increases configuration for end user apps and introduces places for bugs and misconfiguration.
How likely is it that this problem or use case will occur?
For any EKS users who would like to increase security by using AWS IAM roles to eliminate secrets, they will run into this issue.
If the problem does occur, what are the consequences and how severe are they?
Failure scenarios when a connection drops and a reconnection is initiated will fail due to an expired token. This can mean applications are required to crash and restart in order to obtain valid credentials, or complex error handling will need to be implemented.
As far as the usability issue, the problem occurs for every user who needs to figure out how to accomplish this authentication. Manual STS token assumption is an additional burden placed on every user within EKS.
Is this issue urgent?
This issue is not urgent, but the problem is significant enough to deter usage of passwordless IAM authentication which would increase end user deployment security.
Is this ticket required by a downstream team?
No.
Is this ticket only for tests?
No.
- duplicates
-
DRIVERS-2011 On-demand callback for AWS credentials
- Closed
- is related to
-
DRIVERS-1746 Add native support for AWS IAM Roles for service accounts, EKS in particular
- Closed
- related to
-
DRIVERS-2011 On-demand callback for AWS credentials
- Closed