Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2011

On-demand callback for AWS credentials

    • Type: Icon: New Feature New Feature
    • Resolution: Won't Do
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: Authentication
    • None
    • Not Needed
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CXX-2437 Won't Do
      CSHARP-4033 Won't Do
      GODRIVER-2293 Won't Do
      JAVA-4464 Won't Do
      NODE-3934 Won't Do
      MOTOR-877 Duplicate
      PYTHON-3091 Won't Do
      PHPC-2048 Won't Do
      RUBY-2890 Won't Do
      RUST-1164 Won't Do
      SWIFT-1471 Won't Do
      CDRIVER-4467 Won't Do
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CXX-2437 Won't Do CSHARP-4033 Won't Do GODRIVER-2293 Won't Do JAVA-4464 Won't Do NODE-3934 Won't Do MOTOR-877 Duplicate PYTHON-3091 Won't Do PHPC-2048 Won't Do RUBY-2890 Won't Do RUST-1164 Won't Do SWIFT-1471 Won't Do CDRIVER-4467 Won't Do

      Summary

      Add a callback to supply AWS credentials on-demand.

      This is a request to specify an API equivalent to JAVA-4310.

      Motivation

      The Driver Authentication specification describes four ways of obtaining credentials for the MONGODB-AWS authentication mechanism.

      1. From the URI username, password, and options.
      2. From environment variables.
      3. From querying an endpoint for credentials in ECS.
      4. From querying an endpoint for credentials in EC2.

      A callback helps with these use cases:
      1. Caching credentials. In (3) and (4) the endpoint is queried each time a connection handshake results in authentication. This may result in hitting rate limits.
      2. Avoid session token expiration. The AWS session token set in (1) or (2) may be temporary and can expire. A callback enables passing and refreshing credentials in environments like EKS with assigned IAM roles.
      3. Obtain credentials in EKS environments.

      Who is the affected end user?

      Users authenticating with MONGODB-AWS.

      How does this affect the end user?

      I do not know if there is a workaround for hitting rate limits in ECS. Users may be blocked.

      If AWS credentials are passed through URI options, credentials may expire and result in failed authentication attempts. The workaround is requires recreating a MongoClient. The workaround is undesirable.

      Authenticating with AWS in EKS requires an undesirable workaround by passing URI options.

      How likely is it that this problem or use case will occur?

      Likely for EKS users.

      If the problem does occur, what are the consequences and how severe are they?

      Hitting rate limits may result in temporary unavailability.

      Handling credential expiration is less severe. The workaround is to recreate the MongoClient. It is an undesirable workaround.

      Authenticating with AWS in EKS is less severe. The workaround is to recreate the MongoClient. It is an undesirable workaround.

      Is this issue urgent?

      No.

      Is this ticket required by a downstream team?

      No.

      Is this ticket only for tests?

      No.

            Assignee:
            Unassigned Unassigned
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Kevin Albertson Kevin Albertson
            Rachelle Palmer Rachelle Palmer
            Esha Bhargava Esha Bhargava
            Votes:
            6 Vote for this issue
            Watchers:
            27 Start watching this issue

              Created:
              Updated:
              Resolved: