Loading...

XML

Word

Printable

JSON

Type: Epic
Resolution: Unresolved
Priority: Major - P3
Fix Version/s: 2.9.0
Affects Version/s: None
Component/s: None
Labels:
None

Epic Name:
AWS SDK submodule
Assigned Teams:

Go Drivers
Documentation Changes:
Needed
Documentation Changes Summary:

Hide
1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?

Show
1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
Epic Status:
In Progress

Quarter:
- FY27Q2
Scope Cost Estimate:
0
Cost to Date:
0
Final Cost Estimate:
0
Cost Threshold %:
100
Confidence Status:
None
Latest Project Update:
None
Detailed Project Statuses:
None
Estimated Weeks:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None
Goal Tier(s):
None

Summary

The Go Driver's built-in MONGODB-AWS authenticator uses a hand-rolled, minimal AWS credential chain that cannot keep pace with the AWS ecosystem. Users cannot plug in the official AWS SDK v2 credential chain, meaning they cannot use modern AWS authentication mechanisms like EKS Pod Identity without workarounds.

We are trying to:

Expose a stable interface in mongo/options so users can supply their own credential source.
Ship an optional "ext/awsauth" submodule that wraps the AWS SDK v2 so users get the full AWS credential chain by simply passing cfg.Credentials from config.LoadDefaultConfig.

Motivation

Who is the affected end user?

Go driver users, for example, who want to use EKS Pod Identity, or who deploy services on AWS Lambda, where the runtime injects AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY automatically.

How does this affect the end user?

The internal credential chain does not support newer AWS mechanisms (e.g., EKS Pod Identity and regional STS endpoints). Adding each new mechanism requires modifying the driver, which perpetually lags behind the AWS SDK.
In environments where AWS credentials are injected automatically (AWS Lambda, EKS), the existing credential-fetching order makes it impossible for users to override credentials with a custom provider.
Users who need advanced AWS features (e.g., EKS Pod Identity users) have raised multiple support cases (e.g., HELP-78444) that cannot be resolved without this work.
The built-in SigV4 signing and credential-fetching code carries CVE risk: patches released by AWS in the SDK do not automatically apply to the driver.

How likely is it that this problem or use case will occur?

More of a main path than an edge case in the AWS environment. See HELP-78444 for example.

If the problem does occur, what are the consequences and how severe are they?

From a usability issue for users who are blocked from using Pod Identity or SDK-managed short-lived credentials, to a latent security risk, as the internal signing/credential code does not benefit from AWS SDK patches.

Is this issue urgent?

No, AFAIK.

Is this ticket required by a downstream team?

No, AFAIK.

Is this ticket only for tests?

Cast of Characters

Engineering Lead:
Document Author:
POCers:
Product Owner:
Program Manager:
Stakeholders:

Channels & Docs

Slack Channel

Scope Document

[Technical Design Document|some.url]

Assignee:: Qingyang Hu
Reporter:: Matt Dale
Engineering Lead:: Daria Pardue
Goal DRI(s):: None
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: May 01 2026 06:14:09 PM UTC
Updated:: Jun 25 2026 02:34:29 PM UTC
Target start:: None
Target end:: None
Start date:: None
End date:: None
Confidence Status Last Update:: None
Goal Completion Date:: None

Details

Description