[DRIVERS-1746] Add native support for AWS IAM Roles for service accounts, EKS in particular Created: 11/May/21 Updated: 29/Jan/24 Resolved: 29/Jan/24 |
|
| Status: | Closed |
| Project: | Drivers |
| Component/s: | Authentication |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Unknown |
| Reporter: | Ross Lawley | Assignee: | Steve Silvester |
| Resolution: | Done | Votes: | 9 |
| Labels: | Kubernetes, MDBW23, leads-triage | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Changes: | Needed | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Quarter: | FY23Q3, FY24Q1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Downstream Changes Summary: | Summary of required changes
Additional background Please see https://github.com/mongodb/specifications/commit/bc4257fed21186ba9b53e2c0b7e92482da196882 for the specification change and https://github.com/mongodb/specifications/commit/cdd93a4c7639014c8837d34a3e26e408d7b14d5b for a clarification. Please see https://github.com/mongodb/mongo-csharp-driver/commit/daa88998837aace9296b7c1f599c901f3cdac86f for a reference implementation in C#. Integration test Drivers are expected to add an integration test as described in the specification change |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Start date: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Compliance: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
Currently drivers support authenticating against a database using AWS IAM roles for applications running on EC2 or ECS tasks. In scope of This ticket would add support for EKS natively to our drivers, without requiring use of an application-supplied callback. This improvement would be useful for those who are running on Kubernetes in AWS and reduce friction by supporting EKS natively in our drivers Note EKS IAM Roles for service accounts give pods an IAM role, this is exposed as an environment variable with an open id connect token that can get handed to AWS sts for a set of temporary creds (much like ECS/EC2). |
| Comments |
| Comment by Githook User [ 02/Mar/23 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
|
| Comment by Githook User [ 14/Nov/22 ] |
|
Author: {'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}Message: |
| Comment by Githook User [ 02/Nov/22 ] |
|
Author: {'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}Message: |
| Comment by Githook User [ 06/Sep/22 ] |
|
Author: {'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}Message: |
| Comment by Lance Nehring [ 17/Aug/22 ] |
|
This is high priority for our team too. I know there are pull requests with a fix to include IAM ROLE support. It didn't appear to be a significant change to the code base - but perhaps I'm wrong. I'm wondering why it's still blocked. I'm sorely tempted to use a driver such as: https://github.com/HoutanSadafi/mongo-java-driver/tree/add-support-for-eks-with-aws-iam-role-authentication but I'm concerned about support.
Ah, I now see |
| Comment by Jason Penniman [ 19/Jul/22 ] |
|
This is very critical for us as well. |
| Comment by Valer Orlovsky [ 15/Jul/22 ] |
|
Hi, we run EKS and I've just stumbled upon this issue. Just wondering, wouldn't it be better to just use the relevant AWS SDKs in the drivers? That would provide a proper, consistent experience as the SDKs know where to look for credentials in the entire chain, including the EKS IRSA model. Additionally it would also provide a better UX for connecting locally via roles, using the AWS_PROFILE env var and ~/.aws/config. |
| Comment by Steve Silvester [ 16/Jun/22 ] |
|
Update: we have merged (but not yet released) support for the Python driver (https://github.com/mongodb/pymongo-auth-aws/pull/9). |
| Comment by Kekoa Vincent [ 15/Jun/22 ] |
|
Great to hear, @Steve Silvester I will see what I can do. |
| Comment by Steve Silvester [ 15/Jun/22 ] |
|
Hi kevincent@tradestation.com, yes, this is the favored ticket. We are planning to include this feature in the upcoming driver releases. If you'd like to resume https://github.com/mongodb/specifications/pull/1075 by addressing the feedback on the PR that would be a great help. Indeed, the level of effort is small. We have a WIP PR for the Python driver in https://github.com/mongodb/pymongo-auth-aws/pull/9. |
| Comment by Kekoa Vincent [ 15/Jun/22 ] |
|
Is this issue now the favored one for the implementation of now closed
There are some issues that need to be worked out, but a lot of EKS users now would like to avoid password-based auth, and provide an equally secure alternative to AWS data store solutions. I've been following this group of issues for a while, and I am thinking that the level of effort involved in this change might be misunderstood or overestimated. This is very doable as we have implemented this ourselves in our own fork of the driver and have been using it for a while successfully. This would greatly improve EKS user experience and ability to match the same security as AWS provides for its own datastores. Callback or no-callback, AWS ECS and Lambda runtimes are fully supported but EKS support is languishing which doesn't make logical sense given the rise in popularity of EKS. |
| Comment by Steve Silvester [ 23/May/22 ] |
|
One additional note if we decide to implement this feature, we should be handling the AWS_STS_REGIONAL_ENDPOINTS variable if set (on Kubernetes 1.22+). If the value is set to "regional", we use the regional endpoint: https://sts.<AWS_REGION>.amazonaws.com, where AWS_REGION is also an environment variable. If AWS_STS_REGIONAL_ENDPOINTS is not set or is equal to "Global", then we should use the global https://sts.amazonaws.com endpoint. https://docs.aws.amazon.com/eks/latest/userguide/configure-sts-endpoint.html |
| Comment by Jeffrey Yemin [ 08/Sep/21 ] |
|
We are considering |
| Comment by Ross Lawley [ 11/May/21 ] |
|
Example PR adding support for the Java driver: https://github.com/mongodb/mongo-java-driver/pull/700 |