[DRIVERS-1405] For MONGODB-AWS, follow AWS-SDK conventions for resolving credentials Created: 30/Sep/20  Updated: 13/Nov/23

Status: Backlog
Project: Drivers
Component/s: Authentication
Fix Version/s: None

Type: New Feature Priority: Trivial - P5
Reporter: Darren Gruber Assignee: Unassigned
Resolution: Unresolved Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DRIVERS-2475 Consider Using AWS SDK for Auth Implementing
Driver Changes: Needed
Case:

 Description   

Per the current spec, MongoDB drivers currently resolve AWS credentials in the following order:

The order in which Drivers MUST search for credentials is:

  1. Credentials passed through the URI
  2. Environment variables
  3. ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
  4. EC2 endpoint

This flow is a slight deviation from how the AWS-SDK resolves credentials, which is roughly as follows:

  1. Environment variables
  2. The default credential profiles file– typically located at ~/.aws/credentials (location can vary per platform), and shared by many of the AWS SDKs and by the AWS CLI.
  3. ECS endpoint if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. 
  4. EC2 endpoint

Because most AWS tooling that includes the AWS SDK follows this resolution, it was surprising to learn that ~/.aws/config was not supported.

As a frequent user of AWS services, I have many different named profiles within my AWS configuration that allows me to switch context when authenticating. Using a named profile also allows me to instrument custom process for obtaining credentials.

Because I could not use the ~/.aws/config file, I wrote a small Python3 library/CLI tool to fill that gap: https://mongodb-iam-connection-string.readthedocs.io/en/latest/readme.html

I think it would be beneficial to have drivers implement the same credential resolution chain to avoid incompatibility with usage that includes the ~/.aws/config file.


Generated at Thu Feb 08 08:23:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.