Support MongoDB OIDC Built-in Authentication for access to MongoDB with AWS Principals

XMLWordPrintableJSON

    • Type: New Feature
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Component/s: Authentication
    • None
    • Needed
    • Hide

      Summary of necessary driver changes

      •  

      Commits for syncing spec/prose tests
      (and/or refer to an existing language POC if needed)

      •  

      Context for other referenced/linked tickets

      •  
      Show
      Summary of necessary driver changes   Commits for syncing spec/prose tests (and/or refer to an existing language POC if needed)   Context for other referenced/linked tickets  
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-6216 Blocked
      CXX-3407 Blocked
      CSHARP-5857 Blocked
      GODRIVER-3798 Blocked
      JAVA-6076 Blocked
      NODE-7416 Blocked
      PYTHON-5707 Blocked
      PHPLIB-1777 Blocked
      RUBY-3763 Blocked
      RUST-2350 Blocked
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } #scriptField td.willNotDo { background-color: #FF0000; /* Red color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-6216 Blocked CXX-3407 Blocked CSHARP-5857 Blocked GODRIVER-3798 Blocked JAVA-6076 Blocked NODE-7416 Blocked PYTHON-5707 Blocked PHPLIB-1777 Blocked RUBY-3763 Blocked RUST-2350 Blocked

      Currently, MongoDB Atlas utilizes the MONGODB-AWS authentication mechanism to allow access to the databases with AWS IAM principals. While this is seamless for users (as the driver handles STS calls), it relies on an architecture which was not built on purpose and has never been the officially promoted path by AWS for outbound federation. We had previously published a document assessing the risk and highlighting the ideal state.

      Last year, AWS addressed this gap by announcing the General Availability of AWS IAM Outbound Federation in November 2025. This new mechanism allows us to provide database access to AWS IAM using MongoDB Workload Identity Federation that we already use for Azure Managed Identities and GCP Service Accounts for database access.

      Drivers would need to have implemented DRIVERS-2415 as a prerequisite to adding support for AWS IAM Outbound Federation. Priority drivers would be Java, C#, Python and Node.js.

            Assignee:
            Unassigned
            Reporter:
            Alex Bevilacqua
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: