Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-54799

AWS IAM Auth does not support ARNs for AWS China and Gov regions where the ARN does not start with "arn:aws:iam"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.9.0, 4.4.6
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.4
    • Sprint:
      Security 2021-03-22, Security 2021-04-05
    • Linked BF Score:
      169

      Description

      When trying to authenticate from ARNs for AWS China and Gov regions, the server throws an error message:

      {"t":{"$date":"2021-02-24T21:46:18.029+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn785","msg":"Authentication failed","attr":{"mechanism":"MONGODB-AWS","principalName":"AKIA5BNHFCACSUUDSOR3","authenticationDatabase":"$external","client":"66.65.136.84:50215","result":"Location51282: Incorrect ARN"}}
      

      It appears the code needs to be updated in the following places:
      https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/sasl_aws_server_protocol.cpp#L216-L217

      https://github.com/10gen/mongo-enterprise-modules/blob/07a2f1b3245d2a18a8b53482091aa32cbf9210be/src/sasl/sasl_aws_server_protocol.cpp#L41

      Example ARNs:

      • arn:aws-cn:iam::123312345293:user/some.person
      • arn:aws-cn:iam::123312345293:role/my-test-kms
      • arn:aws-us-gov:iam::123312345293:user/someone.else
      • arn:aws-us-gov:iam::123312345293:role/test-role

      Note that for roles, Atlas converts the ARNs to the STS format.

        Attachments

          Activity

            People

            Assignee:
            ben.caimano Benjamin Caimano (Inactive)
            Reporter:
            ralph.capasso Ralph Capasso
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: