Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2011

On-demand callback for AWS credentials

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Major - P3
    • Resolution: Won't Do
    • Authentication
    • None
    • Not Needed

    Description

      Summary

      Add a callback to supply AWS credentials on-demand.

      This is a request to specify an API equivalent to JAVA-4310.

      Motivation

      The Driver Authentication specification describes four ways of obtaining credentials for the MONGODB-AWS authentication mechanism.

      1. From the URI username, password, and options.
      2. From environment variables.
      3. From querying an endpoint for credentials in ECS.
      4. From querying an endpoint for credentials in EC2.

      A callback helps with these use cases:
      1. Caching credentials. In (3) and (4) the endpoint is queried each time a connection handshake results in authentication. This may result in hitting rate limits.
      2. Avoid session token expiration. The AWS session token set in (1) or (2) may be temporary and can expire. A callback enables passing and refreshing credentials in environments like EKS with assigned IAM roles.
      3. Obtain credentials in EKS environments.

      Who is the affected end user?

      Users authenticating with MONGODB-AWS.

      How does this affect the end user?

      I do not know if there is a workaround for hitting rate limits in ECS. Users may be blocked.

      If AWS credentials are passed through URI options, credentials may expire and result in failed authentication attempts. The workaround is requires recreating a MongoClient. The workaround is undesirable.

      Authenticating with AWS in EKS requires an undesirable workaround by passing URI options.

      How likely is it that this problem or use case will occur?

      Likely for EKS users.

      If the problem does occur, what are the consequences and how severe are they?

      Hitting rate limits may result in temporary unavailability.

      Handling credential expiration is less severe. The workaround is to recreate the MongoClient. It is an undesirable workaround.

      Authenticating with AWS in EKS is less severe. The workaround is to recreate the MongoClient. It is an undesirable workaround.

      Is this issue urgent?

      No.

      Is this ticket required by a downstream team?

      No.

      Is this ticket only for tests?

      No.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              kevin.albertson@mongodb.com Kevin Albertson
              Kevin Albertson Kevin Albertson
              Rachelle Palmer Rachelle Palmer
              Esha Bhargava Esha Bhargava
              Votes:
              6 Vote for this issue
              Watchers:
              27 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: