Loading...

XML

Word

Printable

JSON

Type: New Feature
Resolution: Won't Do
Priority: Major - P3
Fix Version/s: None
Component/s: Authentication
Labels:
None

Driver Changes:
Not Needed
Case:

Driver Compliance:

$i18n.getText("admin.common.words.hide")

Key	Status/Resolution	FixVersion
CXX-2437	Won't Do
CSHARP-4033	Won't Do
GODRIVER-2293	Won't Do
JAVA-4464	Won't Do
NODE-3934	Won't Do
MOTOR-877	Duplicate
PYTHON-3091	Won't Do
PHPC-2048	Won't Do
RUBY-2890	Won't Do
RUST-1164	Won't Do
SWIFT-1471	Won't Do
CDRIVER-4467	Won't Do

$i18n.getText("admin.common.words.show")

#scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CXX-2437 Won't Do CSHARP-4033 Won't Do GODRIVER-2293 Won't Do JAVA-4464 Won't Do NODE-3934 Won't Do MOTOR-877 Duplicate PYTHON-3091 Won't Do PHPC-2048 Won't Do RUBY-2890 Won't Do RUST-1164 Won't Do SWIFT-1471 Won't Do CDRIVER-4467 Won't Do

Summary

Add a callback to supply AWS credentials on-demand.

This is a request to specify an API equivalent to ~~JAVA-4310~~.

Motivation

The Driver Authentication specification describes four ways of obtaining credentials for the MONGODB-AWS authentication mechanism.

1. From the URI username, password, and options.
2. From environment variables.
3. From querying an endpoint for credentials in ECS.
4. From querying an endpoint for credentials in EC2.

A callback helps with these use cases:
1. Caching credentials. In (3) and (4) the endpoint is queried each time a connection handshake results in authentication. This may result in hitting rate limits.
2. Avoid session token expiration. The AWS session token set in (1) or (2) may be temporary and can expire. A callback enables passing and refreshing credentials in environments like EKS with assigned IAM roles.
3. Obtain credentials in EKS environments.

Who is the affected end user?

Users authenticating with MONGODB-AWS.

How does this affect the end user?

I do not know if there is a workaround for hitting rate limits in ECS. Users may be blocked.

If AWS credentials are passed through URI options, credentials may expire and result in failed authentication attempts. The workaround is requires recreating a MongoClient. The workaround is undesirable.

Authenticating with AWS in EKS requires an undesirable workaround by passing URI options.

How likely is it that this problem or use case will occur?

Likely for EKS users.

If the problem does occur, what are the consequences and how severe are they?

Hitting rate limits may result in temporary unavailability.

Handling credential expiration is less severe. The workaround is to recreate the MongoClient. It is an undesirable workaround.

Authenticating with AWS in EKS is less severe. The workaround is to recreate the MongoClient. It is an undesirable workaround.

Is this issue urgent?

No.

Is this ticket required by a downstream team?

No.

Is this ticket only for tests?

No.

is depended on by

GODRIVER-2241 AWS credential refreshing

Closed

is duplicated by

DRIVERS-1941 Add MONGODB-AWS Support for EKS Service Account Auth

Closed

is related to

DRIVERS-2179 Add support for updating expired AWS KMS temporary access credentials using assumed roles in FLE

Closed

DRIVERS-1746 Add native support for AWS IAM Roles for service accounts, EKS in particular

Closed

DRIVERS-2280 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS

Closed

RUBY-2512 Support AWS authentication with temporary credentials in CSFLE

Closed

DRIVERS-1941 Add MONGODB-AWS Support for EKS Service Account Auth

Closed

related to

JAVA-4310 AWS credential refreshing

Closed

DRIVERS-2333 Cache AWS Credentials Where Possible

Closed

split to

CDRIVER-4467 On-demand callback for AWS credentials

Closed

CSHARP-4033 On-demand callback for AWS credentials

Closed

CXX-2437 On-demand callback for AWS credentials

Closed

GODRIVER-2293 On-demand callback for AWS credentials

Closed

JAVA-4464 On-demand callback for AWS credentials

Closed

MOTOR-877 On-demand callback for AWS credentials

Closed

NODE-3934 On-demand callback for AWS credentials

Closed

PHPC-2048 On-demand callback for AWS credentials

Closed

PYTHON-3091 On-demand callback for AWS credentials

Closed

RUBY-2890 On-demand callback for AWS credentials

Closed

RUST-1164 On-demand callback for AWS credentials

Closed

(2 is related to, 2 related to, 11 split to)

Assignee:: Unassigned

Reporter:: Kevin Albertson

Engineering Lead:: Kevin Albertson

Product Manager:: Rachelle Palmer

Program Manager:: Esha Bhargava

Votes:: 6 Vote for this issue

Watchers:: 27 Start watching this issue

Created:: Dec 19 2021 12:45:04 AM UTC

Updated:: Dec 19 2022 06:04:43 PM UTC

Resolved:: Sep 27 2022 06:26:39 PM UTC

Details

Description

Summary

Motivation

Who is the affected end user?

How does this affect the end user?

How likely is it that this problem or use case will occur?

If the problem does occur, what are the consequences and how severe are they?

Is this issue urgent?

Is this ticket required by a downstream team?

Is this ticket only for tests?

Attachments

Issue Links

Activity

People

Dates