[DRIVERS-2333] Cache AWS Credentials Where Possible Created: 23/May/22  Updated: 30/Jun/23  Resolved: 30/Jun/23

Status: Closed
Project: Drivers
Component/s: Authentication
Fix Version/s: None

Type: New Feature Priority: Unknown
Reporter: Steve Silvester Assignee: Steve Silvester
Resolution: Done Votes: 0
Labels: MDBW23
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Issue split
split to CDRIVER-4439 Cache AWS Credentials Where Possible Closed
split to CSHARP-4273 Cache AWS Credentials Where Possible Closed
split to CXX-2554 Cache AWS Credentials Where Possible Closed
split to GODRIVER-2504 Cache AWS Credentials Where Possible Closed
split to JAVA-4690 Cache AWS Credentials Where Possible Closed
split to MOTOR-1002 Cache AWS Credentials Where Possible Closed
split to NODE-4478 Cache AWS Credentials Where Possible Closed
split to PYTHON-3313 Cache AWS Credentials Where Possible Closed
split to RUBY-3066 Cache AWS Credentials Where Possible Closed
split to RUST-1420 Cache AWS Credentials Where Possible Closed
split to PHPC-2158 Cache AWS Credentials Where Possible Closed
Problem/Incident
Related
is related to DRIVERS-2011 On-demand callback for AWS credentials Closed
Driver Changes: Needed
Quarter: FY23Q3, FY24Q1
Downstream Changes Summary:

Summary of required changes

  • Create an internal cache for fetched AWS credentials used by the driver
  • Add integration tests to verify cache usage

Additional background

Please see https://github.com/mongodb/specifications/commit/364761d3dae5e430b0812f23786b592f4bb629c1 for the specification change and https://github.com/mongodb/specifications/commit/745e486dd03f0d724c68593bf9ddb017d2d58fa6 for a follow-up to tests.

Please see https://github.com/mongodb/mongo-csharp-driver/commit/3d67e80c3553051286afed4c3e7ba7aabcf7cba3 for a reference implementation in C#.

Integration test

Drivers are expected to add an integration test as described in the specification change

Case:
Driver Compliance:
Key Status/Resolution FixVersion
PYTHON-3313 Fixed pymongo-auth-aws-1.1.0, 4.3
CDRIVER-4439 Fixed 1.24.0
CXX-2554 Works as Designed 3.8.0
CSHARP-4273 Fixed 2.18.0
GODRIVER-2504 Fixed 1.12.0
JAVA-4690 Won't Fix
NODE-4478 Done
MOTOR-1002 Duplicate
PHPC-2158 Fixed 1.16.0
RUBY-3066 Fixed 2.19.0
RUST-1420 Fixed 2.7.0
SWIFT-1613 Won't Do

 Description   

Summary

Currently drivers are querying an AWS link-local endpoint each time a connection handshake results in authentication. This may result in hitting a rate limit.  Drivers should cache fetched AWS credentials if the expiration time is known, and only re-fetch the credentials when they are about to expire.

Motivation

Who is the affected end user?

Users authenticating with MONGODB-AWS using automatic credential lookup.

How does this affect the end user?

Hitting rate limits may result in temporary unavailability.

How likely is it that this problem or use case will occur?

Likely for EKS and ECS users with many simultaneous connections.

If the problem does occur, what are the consequences and how severe are they?

Authentication failures requiring backoff and retry attempts.

Is this issue urgent?

No

Is this ticket required by a downstream team?

No

Is this ticket only for tests?

No



 Comments   
Comment by Githook User [ 15/Feb/23 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: DRIVERS-2333 add steps to credential caching tests (#1378)

  • Create a new client before a `find` operation.
  • Clear the AWS environment variables after the test.
  • Clear the cache before steps expecting to cache credentials
Comment by Githook User [ 18/Oct/22 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2333 Cache AWS Credentials Where Possible (#1281)
Branch: master
https://github.com/mongodb/specifications/commit/364761d3dae5e430b0812f23786b592f4bb629c1

Comment by Rachelle Palmer [ 02/Aug/22 ]

esha.bhargava@mongodb.com can you please create the writing ticket here for Scope and assign to me? or, do we already have one somewhere? if yes, let's link.

Generated at Thu Feb 08 08:25:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.