Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: pymongo-auth-aws-1.0.2
Affects Version/s: None
Component/s: None
Labels:
None

Confidence Status:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

As reported in https://developer.mongodb.com/community/forums/t/temporary-mongodb-aws-credentials-could-not-be-obtained/9505, pymongo-auth-aws uses POST for auth token request which is not allowed in some AWS configurations (IMDSv2). This causes the following authentication failure:

 File "/usr/lib64/python2.7/site-packages/pymongo/pool.py", line 810, in authenticate
    auth.authenticate(credentials, self)
  File "/usr/lib64/python2.7/site-packages/pymongo/auth.py", line 673, in authenticate
    auth_func(credentials, sock_info)
  File "/usr/lib64/python2.7/site-packages/pymongo/auth_aws.py", line 85, in _authenticate_aws
    exc, pymongo_auth_aws.__version__))
pymongo.errors.OperationFailure: temporary MONGODB-AWS credentials could not be obtained (pymongo-auth-aws version 1.0.1)

Instead we need to use a PUT request as documented in the auth spec:

$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30"`
$ ROLE_NAME=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ -H "X-aws-ec2-metadata-token: $TOKEN"`
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME -H "X-aws-ec2-metadata-token: $TOKEN"

Assignee:: Shane Harvey

Reporter:: Shane Harvey

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: Sep 23 2020 09:32:32 PM UTC

Updated:: Oct 29 2023 02:29:30 AM UTC

Resolved:: Sep 24 2020 05:45:53 PM UTC

GA Target Date:: None

Public Preview Target Date:: None

Private Preview Target Date:: None

Experiment Target Date:: None

Details

Description

Attachments

Activity

People

Dates