Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2333

Cache AWS Credentials Where Possible

XMLWordPrintableJSON

    • Type: Icon: New Feature New Feature
    • Resolution: Done
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Authentication
    • Labels:
    • Needed
    • Hide

      Summary of required changes

      • Create an internal cache for fetched AWS credentials used by the driver
      • Add integration tests to verify cache usage

      Additional background

      Please see https://github.com/mongodb/specifications/commit/364761d3dae5e430b0812f23786b592f4bb629c1 for the specification change and https://github.com/mongodb/specifications/commit/745e486dd03f0d724c68593bf9ddb017d2d58fa6 for a follow-up to tests.

      Please see https://github.com/mongodb/mongo-csharp-driver/commit/3d67e80c3553051286afed4c3e7ba7aabcf7cba3 for a reference implementation in C#.

      Integration test

      Drivers are expected to add an integration test as described in the specification change

      Show
      Summary of required changes Create an internal cache for fetched AWS credentials used by the driver Add integration tests to verify cache usage Additional background Please see https://github.com/mongodb/specifications/commit/364761d3dae5e430b0812f23786b592f4bb629c1 for the specification change and https://github.com/mongodb/specifications/commit/745e486dd03f0d724c68593bf9ddb017d2d58fa6 for a follow-up to tests. Please see https://github.com/mongodb/mongo-csharp-driver/commit/3d67e80c3553051286afed4c3e7ba7aabcf7cba3  for a reference implementation in C#. Integration test Drivers are expected to add an integration test as described in the specification change
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      PYTHON-3313 Fixed pymongo-auth-aws-1.1.0, 4.3
      CDRIVER-4439 Fixed 1.24.0
      CXX-2554 Works as Designed 3.8.0
      CSHARP-4273 Fixed 2.18.0
      GODRIVER-2504 Fixed 1.12.0
      JAVA-4690 Won't Fix
      NODE-4478 Done
      MOTOR-1002 Duplicate
      PHPC-2158 Fixed 1.16.0
      RUBY-3066 Fixed 2.19.0
      RUST-1420 Fixed 2.7.0
      SWIFT-1613 Won't Do
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion PYTHON-3313 Fixed pymongo-auth-aws-1.1.0, 4.3 CDRIVER-4439 Fixed 1.24.0 CXX-2554 Works as Designed 3.8.0 CSHARP-4273 Fixed 2.18.0 GODRIVER-2504 Fixed 1.12.0 JAVA-4690 Won't Fix NODE-4478 Done MOTOR-1002 Duplicate PHPC-2158 Fixed 1.16.0 RUBY-3066 Fixed 2.19.0 RUST-1420 Fixed 2.7.0 SWIFT-1613 Won't Do

      Summary

      Currently drivers are querying an AWS link-local endpoint each time a connection handshake results in authentication. This may result in hitting a rate limit.  Drivers should cache fetched AWS credentials if the expiration time is known, and only re-fetch the credentials when they are about to expire.

      Motivation

      Who is the affected end user?

      Users authenticating with MONGODB-AWS using automatic credential lookup.

      How does this affect the end user?

      Hitting rate limits may result in temporary unavailability.

      How likely is it that this problem or use case will occur?

      Likely for EKS and ECS users with many simultaneous connections.

      If the problem does occur, what are the consequences and how severe are they?

      Authentication failures requiring backoff and retry attempts.

      Is this issue urgent?

      No

      Is this ticket required by a downstream team?

      No

      Is this ticket only for tests?

      No

            Assignee:
            steve.silvester@mongodb.com Steve Silvester
            Reporter:
            steve.silvester@mongodb.com Steve Silvester
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: