[COMPASS-6478] MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token Created: 01/Feb/23 Updated: 27/Oct/23 Resolved: 08/Mar/23 |
|
| Status: | Closed |
| Project: | Compass |
| Component/s: | Connectivity |
| Affects Version/s: | 1.35.0 |
| Fix Version/s: | No version |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Ronan Jouchet | Assignee: | Julia Oppenheim |
| Resolution: | Gone away | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Compass 1.35.0, up-to-date as of 2023-02-01. |
||
| Documentation Changes: | Not Needed |
| Description |
Problem Statement/RationaleThis is a bug equivalent to IntelliJ/YouTrack bug DBE-17241 - MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token. I'm interested in logging in to a MongoDB/Atlas instance using AWS IAM credentials, an authentication mechanism already available "raw" in Compass 1.35.0 (New Connection → Advanced Connection Options → Authentication → AWS IAM). However, the current implementation is "raw" and lacking from a security perspective, as it merely asks users to enter an AWS {accessKeyId, secretAccessKey, sessionToken}. What I expect instead from a Mongo + AWS IAM implementation (which I did myself for a system I maintain) is this:
Seeing that Compass "supports" AWS IAM credentials, I was expecting the same: a password/token-copypasta-less experience, MFA-protected, and using shortly-expiring tokens, invisibly to the user! But instead, I see that all Compass does currently is to ask users for an {{ { accessKeyId, secretAccessKey, sessionToken }}} ! Which means that Compass currently does none of the actual security-valuable job of bundling AWS' SDK in the Electron app and talking to AWS STS 😕. As far as I understand, Compass just supports the slightly different syntax of passing IAM secrets in the connection string. But that's not where the value is! The whole point of AWS IAM + config + MFA is to not have these secrets to copy-paste in the first place!Said differently, I was expecting that selecting AWS IAM creds would prompt me with a { AWS config, MFA challenge } form/flow, and not a {{{ accessKeyId, secretAccessKey, sessionToken } }} form! Final note: I'm trying to connect to an Atlas instance. So, a security-legit and viable-to-me-Atlas-customer alternative to improving your AWS IAM connection would be to support logging in with Atlas+MFA credentials. Does that make sense, or am I missing something? Thanks. Steps to ReproduceTry to connect to a MongoDB Atlas instance using Compass' AWS IAM authentication method. Expected ResultsBe prompted for an AWS config form, and an MFA challenge. Actual ResultsCompass requests I copy-paste and give it AWS { accessKeyId, secretAccessKey, sessionToken }, defeating the security benefits. Additional NotesCompass 1.35.0, up-to-date as of 2023-02-01. |
| Comments |
| Comment by Julia Oppenheim [ 08/Mar/23 ] |
|
Moved this to our feedback portal, so closing this ticket for now. |