-
Type: New Feature
-
Resolution: Won't Fix
-
Priority: Unknown
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
(copied to CRM)
Background & Motivation
The Driver Authentication specification describes four ways of obtaining credentials for the MONGODB-AWS authentication mechanism.
1. From the URI username, password, and options.
2. From environment variables.
3. From querying an endpoint for credentials in ECS.
4. From querying an endpoint for credentials in EC2.
This is a request to implement an equivalent API as JAVA-4310. JAVA-4310 is currently marked as beta API.
The original motivation for this feature request is to enable a way to cache credentials. In (3) and (4) the endpoint is queried each time a connection handshake results in authentication. This can result in hitting
There are other motivations. The AWS session token set in (1) or (2) may be temporary and can expire. A callback enables passing and refreshing credentials in environments like EKS with assigned IAM roles.
Scope
- Add client option callback to supply AWS credentials on each authentication attempt.
- Add client option as unstable API.
- depends on
-
DRIVERS-2011 On-demand callback for AWS credentials
- Closed
- is related to
-
GODRIVER-2081 Add native support for AWS IAM Roles for service accounts, EKS in particular
- Closed