Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-5477

Add support for setting AWS region from environment variable for STSClient

    • 3
    • Not Needed
    • Needed
    • Hide

      1. What would you like to communicate to the user about this feature?

      When using IAM AssumeRoleWithWebIdentity AWS authentication the driver uses the @aws-sdk/credential-providers package to contact the Security Token Service API for temporary credentials. AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build-in redundancy, and increase session token validity. Unfortunately, environment variables AWS_STS_REGIONAL_ENDPOINTS and AWS_REGION do not directly control the region the SDK's STS client contacts for credentials.

      The driver now has added support for detecting these variables and setting the appropriate options when calling the SDK's API: fromNodeProviderChain().

      Important
      The driver will only set region options if BOTH environment variables are present. AWS_STS_REGIONAL_ENDPOINTS MUST be set to either 'legacy' or 'regional', and AWS_REGION must be set.

      2. Would you like the user to see examples of the syntax and/or executable code and its output?

      I don't think examples apply. I would update https://www.mongodb.com/docs/drivers/node/current/fundamentals/authentication/mechanisms/#mongodb-aws under the "Web Identity Token File" tab to mention these environment variables will be used to determine region now.

      3. Which versions of the driver/connector does this apply to?

      Should be 6.0.1 and 5.8.2, however it may land in the next minor if we complete a feature before next release.

      Show
      1. What would you like to communicate to the user about this feature? When using IAM AssumeRoleWithWebIdentity AWS authentication the driver uses the @aws-sdk/credential-providers package to contact the Security Token Service API for temporary credentials. AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build-in redundancy, and increase session token validity. Unfortunately, environment variables AWS_STS_REGIONAL_ENDPOINTS and AWS_REGION do not directly control the region the SDK's STS client contacts for credentials. The driver now has added support for detecting these variables and setting the appropriate options when calling the SDK's API: fromNodeProviderChain(). Important The driver will only set region options if BOTH environment variables are present. AWS_STS_REGIONAL_ENDPOINTS MUST be set to either 'legacy' or 'regional', and AWS_REGION must be set. 2. Would you like the user to see examples of the syntax and/or executable code and its output? I don't think examples apply. I would update https://www.mongodb.com/docs/drivers/node/current/fundamentals/authentication/mechanisms/#mongodb-aws under the "Web Identity Token File" tab to mention these environment variables will be used to determine region now. 3. Which versions of the driver/connector does this apply to? Should be 6.0.1 and 5.8.2, however it may land in the next minor if we complete a feature before next release.

      Use Case

      As an AWS authentication user
      I want to control the region where the STS Client sends its requests
      So that I can reduce latency for my application

      Reference

      User Impact

      • Currently us-east-1 is always used when fromNodeProviderChain is invoked (the aws-sdk credential provider API).
      • AWS_REGION environment variable if defined will be used for the STS region setting

      Dependencies

      • None

      Unknowns

      • Are there sources for region other than env?
        • Yes, there are well-known config ini files with region information. However, supporting those has added complexity of distinguishing multiple profiles so we will defer support for the time being.

      Acceptance Criteria

      Implementation Requirements

      • Using a non-zero length AWS_REGION from process.env
      • Pass the value to `clientConfig: { region }

        ` where we call fromNodeProviderChain

      • Fix in v5 and v6

      Testing Requirements

      • Reuse the AWS testing we have, add a test that connects to MongoDB while AWS_REGION is set and validate the http request is routed to the correct region

      Documentation Requirements

      Follow Up Requirements

      • None

        There are no Sub-Tasks for this issue.

            Assignee:
            neal.beeken@mongodb.com Neal Beeken
            Reporter:
            neal.beeken@mongodb.com Neal Beeken
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: