The Java driver supports authenticating with AWS credentials, according to this specification of driver behavior. However, there are some use case where the application requires the ability to refresh the session token, since it is temporary. Currently, the only way to refresh a session token is to create a new MongoClient with a new MongoCredential.
Additionally, there are some use cases for obtaining session tokens that the driver does not support, e.g. the Elastic Kubernetes Service (EKS).
The driver could enable these use cases by allowing the application to register with the MongoClient a callback that the driver invokes before every authentication attempt (essentially, every time a connection is opened). This callback will return an object containing all the information needed to authenticate: the access key id, the secret access key, and the session token. It is up to the application providing the callback to ensure that these values are valid and have not yet expired.
The proposed API includes a simple value class called AwsCredential that includes the three aforementioned pieces of information – the access key id, the secret access key, and the session token – none of which can be null. The callback itself must be added as a MongoCredential mechanism property with the name "AWS_CREDENTIAL_PROVIDER_KEY" whose value is of type Supplier<AwsCredential>. If this mechanism property is included in the MongoCredential, the driver will use it to obtain the AWS credentials in preference to all other mechanisms defined in Obtaining Credentials section of the specification.
- is related to
JAVA-4118 Add support for EKS when using AWS Iam roles for database authentication
- related to
DRIVERS-1746 Add native support for AWS IAM Roles for service accounts, EKS in particular
- mentioned in