-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Authentication
-
Not Needed
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Use Case
AWS auth environment variables and credentials are accessed in the driver in two places:
- During options parsing, when we resolve the user-provided credentials
- During authentication, from the AWS SDK but only if the username hasn't been resolved yet
The fact that options parsing (constructing a MongoCredentials object) means that if the user has AWS auth environment variables in the environment but want to authenticate with a different mechanism means that the environment variables always take precedence over other forms of authentication. Our tests do not cover this case - we are very careful to always unset AWS environment variables to ensure we always authenticate using the correct AWS authentication credential mechanism, but that also means we don't have a test where we expect authentication to fail if environment credentials are used instead of other authentication mechanisms.
Specifically, this is the case in AWS lambda, if the user wants to use a different credential fetching mechanism (see NODE-6393): auth.md#environment-variables.
User Experience
Users might see authentication failures because the wrong credentials are used for authentication.
Dependencies
n/a
Risks/Unknowns
n/a
Acceptance Criteria
Implementation Requirements
- Ensure that AWS credentials are only read from the environment if the AWS sdk is not installed or a custom provider is not provided.
Testing Requirements
- tbd.
Documentation Requirements
- n/a
Follow Up Requirements
- n/a
- is related to
-
-
- Backlog
-
-
NODE-6393 Authenticate lambda with IAM credentials obtained via STS
-
- Investigating
-