Custom AWS credential provider must be used before all other credential fetching mechanisms

XMLWordPrintableJSON

    • Needed
    • Hide

      Summary of necessary driver changes

      •  

      Commits for syncing spec/prose tests
      (and/or refer to an existing language POC if needed)

      •  

      Context for other referenced/linked tickets

      •  
      Show
      Summary of necessary driver changes   Commits for syncing spec/prose tests (and/or refer to an existing language POC if needed)   Context for other referenced/linked tickets  
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-6057 Backlog
      CXX-3315 Backlog
      CSHARP-5652 Backlog
      GODRIVER-3615 Backlog
      JAVA-5920 Blocked
      NODE-7047 Backlog
      PYTHON-5446 Blocked
      PHPLIB-1693 Blocked
      RUBY-3687 Blocked
      RUST-2249 Blocked
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } #scriptField td.willNotDo { background-color: #FF0000; /* Red color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-6057 Backlog CXX-3315 Backlog CSHARP-5652 Backlog GODRIVER-3615 Backlog JAVA-5920 Blocked NODE-7047 Backlog PYTHON-5446 Blocked PHPLIB-1693 Blocked RUBY-3687 Blocked RUST-2249 Blocked

      Summary

      The ordering of AWS credential fetching defined in the auth spec is:

      1. The URI
      2. Environment variables
      3. A custom AWS credential provider if the driver supports it.
      4. Using `AssumeRoleWithWebIdentity` if `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` are set.
      5. The ECS endpoint if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is set. Otherwise, the EC2 endpoint.

      However, some environments (ex: AWS lambda) include AWS-auth related environment variables automatically.  This makes it impossible to use a different credential fetching mechanism to obtain credentials with a custom credential provider (ex: Node bug).

      The custom credential provider likely should have highest precedence of all credential fetching mechanisms.

      Motivation

      Who is the affected end user?

      AWS auth users with custom credential providers.

      How does this affect the end user?

      Users are unable to authenticate in environments where AWS credentials are present in the environment but want to use a different credential fetching mechanism.

      How likely is it that this problem or use case will occur?

      Always, in certain environments.

      If the problem does occur, what are the consequences and how severe are they?

      Users are unable to authenticate without workarounds (ex: removing all AWS-auth related secrets from the environment before launching the driver process).

      Is this issue urgent?

      unsure.

      Is this ticket required by a downstream team?

      no.

      Is this ticket only for tests?

      no.

      Acceptance Criteria

      • Determine the correct precedence ordering of the credential fetching in drivers.
      • Ensure that the correct ordering is tested - we likely need a test in an environment that has AWS auth variables in the environment but uses a non-env variable related auth mechanism.

              Assignee:
              Unassigned
              Reporter:
              Bailey Pearson
              Daria Pardue Daria Pardue
              Alex Bevilacqua Alex Bevilacqua
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: