[GODRIVER-2241] AWS credential refreshing Created: 22/Nov/21  Updated: 03/Oct/22  Resolved: 03/Oct/22

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Unknown
Reporter: Kevin Albertson Assignee: Unassigned
Resolution: Won't Fix Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on DRIVERS-2011 On-demand callback for AWS credentials Closed
Related
is related to GODRIVER-2081 Add native support for AWS IAM Roles ... Closed
Case:

 Description   

Background & Motivation

The Driver Authentication specification describes four ways of obtaining credentials for the MONGODB-AWS authentication mechanism.

1. From the URI username, password, and options.
2. From environment variables.
3. From querying an endpoint for credentials in ECS.
4. From querying an endpoint for credentials in EC2.

This is a request to implement an equivalent API as JAVA-4310. JAVA-4310 is currently marked as beta API.

The original motivation for this feature request is to enable a way to cache credentials. In (3) and (4) the endpoint is queried each time a connection handshake results in authentication. This can result in hitting

There are other motivations. The AWS session token set in (1) or (2) may be temporary and can expire. A callback enables passing and refreshing credentials in environments like EKS with assigned IAM roles.

Scope

  • Add client option callback to supply AWS credentials on each authentication attempt.
  • Add client option as unstable API.


 Comments   
Comment by Kevin Albertson [ 03/Oct/22 ]

Per https://jira.mongodb.org/browse/DRIVERS-2011?focusedCommentId=4859543&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-4859543

We prioritized DRIVERS-2333 to handle the rate-limiting case and DRIVERS-1746 to handle IAM roles for service accounts.

Comment by Kevin Albertson [ 22/Mar/22 ]

We are targeting early June, 2022 however this date may change.

Comment by Santosh Kumar Aitha [ 21/Mar/22 ]

Hi, we have currently blocker for this to rollout AWS Based authentication to production. Is there any update or ETA when this will available in Go Driver?

 

And also it would be great if the MongoDB documentation is updated with this is limitation. currently Document doesn't mention anything about this.

Generated at Thu Feb 08 08:38:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.