-
Type: New Feature
-
Resolution: Won't Do
-
Priority: Major - P3
-
None
-
Component/s: Authentication
-
None
-
Not Needed
-
(copied to CRM)
Summary
Add a callback to supply AWS credentials on-demand.
This is a request to specify an API equivalent to JAVA-4310.
Motivation
The Driver Authentication specification describes four ways of obtaining credentials for the MONGODB-AWS authentication mechanism.
1. From the URI username, password, and options.
2. From environment variables.
3. From querying an endpoint for credentials in ECS.
4. From querying an endpoint for credentials in EC2.
A callback helps with these use cases:
1. Caching credentials. In (3) and (4) the endpoint is queried each time a connection handshake results in authentication. This may result in hitting rate limits.
2. Avoid session token expiration. The AWS session token set in (1) or (2) may be temporary and can expire. A callback enables passing and refreshing credentials in environments like EKS with assigned IAM roles.
3. Obtain credentials in EKS environments.
Who is the affected end user?
Users authenticating with MONGODB-AWS.
How does this affect the end user?
I do not know if there is a workaround for hitting rate limits in ECS. Users may be blocked.
If AWS credentials are passed through URI options, credentials may expire and result in failed authentication attempts. The workaround is requires recreating a MongoClient. The workaround is undesirable.
Authenticating with AWS in EKS requires an undesirable workaround by passing URI options.
How likely is it that this problem or use case will occur?
Likely for EKS users.
If the problem does occur, what are the consequences and how severe are they?
Hitting rate limits may result in temporary unavailability.
Handling credential expiration is less severe. The workaround is to recreate the MongoClient. It is an undesirable workaround.
Authenticating with AWS in EKS is less severe. The workaround is to recreate the MongoClient. It is an undesirable workaround.
Is this issue urgent?
No.
Is this ticket required by a downstream team?
No.
Is this ticket only for tests?
No.
- is depended on by
-
GODRIVER-2241 AWS credential refreshing
- Closed
- is duplicated by
-
DRIVERS-1941 Add MONGODB-AWS Support for EKS Service Account Auth
- Closed
- is related to
-
DRIVERS-2179 Add support for updating expired AWS KMS temporary access credentials using assumed roles in FLE
- Closed
-
DRIVERS-1746 Add native support for AWS IAM Roles for service accounts, EKS in particular
- Closed
-
DRIVERS-2280 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
RUBY-2512 Support AWS authentication with temporary credentials in CSFLE
- Closed
-
DRIVERS-1941 Add MONGODB-AWS Support for EKS Service Account Auth
- Closed
- related to
-
JAVA-4310 AWS credential refreshing
- Closed
-
DRIVERS-2333 Cache AWS Credentials Where Possible
- Closed
- split to
-
CDRIVER-4467 On-demand callback for AWS credentials
- Closed
-
CSHARP-4033 On-demand callback for AWS credentials
- Closed
-
CXX-2437 On-demand callback for AWS credentials
- Closed
-
GODRIVER-2293 On-demand callback for AWS credentials
- Closed
-
JAVA-4464 On-demand callback for AWS credentials
- Closed
-
MOTOR-877 On-demand callback for AWS credentials
- Closed
-
NODE-3934 On-demand callback for AWS credentials
- Closed
-
PHPC-2048 On-demand callback for AWS credentials
- Closed
-
PYTHON-3091 On-demand callback for AWS credentials
- Closed
-
RUBY-2890 On-demand callback for AWS credentials
- Closed
-
RUST-1164 On-demand callback for AWS credentials
- Closed