NodeJS MongoDB AWS credential hanlder doesn't recognise Pod Identity Metadata service IP

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Gone away
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: CMAP
    • 2
    • Not Needed
    • None
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Use Case

      Establishing a connection using Mongoose (which in turn calls the MongoDB node package) from a pod hosted in an AWS EKS cluster to MongoDB Atlas using an AWS IAM role.  The IAM role is associated to it via EKS Pod Identities. The httpPutResponseHopLimit is set to 1 (as per best practices) so the pod cannot use the IMDSv2 endpoint (and thus can't assume the host's role).

      User Experience

      • The package should be aware of the following parameter which defines what IMDS endpoint to use for pod identities, and then use it (rather than the default) AWS_CONTAINER_CREDENTIALS_FULL_URI=http://169.254.170.23/v1/credentials
      • Ensure that the endpoint is not rejected
      • Example of rejection:
      MongoAWSError: 169.254.170.23 is not a valid container metadata service hostname
    at AWSSDKCredentialProvider.getCredentials (<redacted>/node_modules/mongodb/lib/cmap/auth/aws_temporary_credentials.js:113:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async makeTempCredentials (<redacted>/node_modules/mongodb/lib/cmap/auth/mongodb_aws.js:128:34)
    at async MongoDBAWS.auth (<redacted>/node_modules/mongodb/lib/cmap/auth/mongodb_aws.js:41:39)
    at async performInitialHandshake (<redacted>/node_modules/mongodb/lib/cmap/connect.js:104:13)
    at async connect (<redacted>/node_modules/mongodb/lib/cmap/connect.js:24:9)

      Dependencies

      • EKS Pod Identities is configured correctly.

      Risks/Unknowns

      • None identified

      Acceptance Criteria

      Implementation Requirements

      • Connection to MongoDB Atlas using the credentials provided through EKS Pod Identities
      • Automatic refresh of the token / connection when it expires.

      Testing Requirements

      •  

      Documentation Requirements

      •  

      Follow Up Requirements

      •  

            Assignee:
            Bailey Pearson
            Reporter:
            Richard Jones
            None
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: