[COMPASS-6478]  MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token Created: 01/Feb/23  Updated: 27/Oct/23  Resolved: 08/Mar/23

Status: Closed
Project: Compass
Component/s: Connectivity
Affects Version/s: 1.35.0
Fix Version/s: No version

Type: Bug Priority: Major - P3
Reporter: Ronan Jouchet Assignee: Julia Oppenheim
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Compass 1.35.0, up-to-date as of 2023-02-01.


Documentation Changes: Not Needed

 Description   

Problem Statement/Rationale

This is a bug equivalent to IntelliJ/YouTrack bug DBE-17241 -  MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token.

I'm interested in logging in to a MongoDB/Atlas instance using AWS IAM credentials, an authentication mechanism already available "raw" in Compass 1.35.0 (New Connection → Advanced Connection Options → Authentication → AWS IAM).

However, the current implementation is "raw" and lacking from a security perspective, as it merely asks users to enter an AWS {accessKeyId, secretAccessKey, sessionToken}. What I expect instead from a Mongo + AWS IAM implementation (which I did myself for a system I maintain) is this:

  1. Initialize the AWS SDK, which reads AWS config (at ~/.aws/config)
  2. Present to the user an AWS MFA (Multi-Factor Authentication) challenge
  3. Make an aws-sdk call to AWS STS.AssumeRole
  4. Take the (MFA-protected!) call result, a Credentials object with {{{} { accessKeyId, secretAccessKey, sessionToken, expiration }

    {}}}, and build an IAM/Atlas Mongo connection string internally, by doing basic string formatting + URLEncoding.

Seeing that Compass "supports" AWS IAM credentials, I was expecting the same: a password/token-copypasta-less experience, MFA-protected, and using shortly-expiring tokens, invisibly to the user!

But instead, I see that all Compass does currently is to ask users for an {{

{ accessKeyId, secretAccessKey, sessionToken }}} ! Which means that Compass currently does none of the actual security-valuable job of bundling AWS' SDK in the Electron app and talking to AWS STS 😕. As far as I understand, Compass just supports the slightly different syntax of passing IAM secrets in the connection string. But that's not where the value is! The whole point of AWS IAM + config + MFA is to not have these secrets to copy-paste in the first place!

Said differently, I was expecting that selecting AWS IAM creds would prompt me with a { AWS config, MFA challenge } form/flow, and not a {{{ accessKeyId, secretAccessKey, sessionToken }

}} form!

Final note: I'm trying to connect to an Atlas instance. So, a security-legit and viable-to-me-Atlas-customer alternative to improving your AWS IAM connection would be to support logging in with Atlas+MFA credentials.

Does that make sense, or am I missing something? Thanks.

Steps to Reproduce

Try to connect to a MongoDB Atlas instance using Compass' AWS IAM authentication method.

Expected Results

Be prompted for an AWS config form, and an MFA challenge.

Actual Results

Compass requests I copy-paste and give it AWS { accessKeyId, secretAccessKey, sessionToken }, defeating the security benefits.

Additional Notes

Compass 1.35.0, up-to-date as of 2023-02-01.



 Comments   
Comment by Julia Oppenheim [ 08/Mar/23 ]

Moved this to our feedback portal, so closing this ticket for now. 

Generated at Wed Feb 07 22:43:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.