[JAVA-4118] Add support for EKS when using AWS Iam roles for database authentication Created: 27/Apr/21 Updated: 12/Jan/23 Resolved: 12/Jan/23 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | Authentication, Kubernetes |
| Affects Version/s: | None |
| Fix Version/s: | 4.8.0 |
| Type: | New Feature | Priority: | Critical - P2 |
| Reporter: | houtan sadafi | Assignee: | Rachelle Palmer |
| Resolution: | Done | Votes: | 4 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||||||
| Documentation Changes: | Needed | ||||||||||||||||||||||||||||||||||||
| Description |
|
Currently Mongodb java driver supports authenticating against a database using AWS IAM roles, unfortunately this is only supported for applications running on EC2 or ECS tasks, it does not support Elastic Kubernetes Service - unless you grant the role at the node level which would mean every pod on that node gets access to that role and goes against the principal of least privilege. EKS recently introduced IAM Roles for service accounts which basically gives pods an IAM role, this is exposed as an environment variable with an open id connect token that can get handed to AWS sts for a set of temporary creds (much like ECS/EC2). This improvement would be fantastic especially for those who are running on kubernetes in AWS. |
| Comments |
| Comment by Rachelle Palmer [ 12/Jan/23 ] |
|
Hello all, Thank you! |
| Comment by Oliver Allan [ 01/Mar/22 ] |
|
thank you Jeffrey |
| Comment by Jeffrey Yemin [ 01/Mar/22 ] |
|
oliver.allan@metrobank.plc.uk I opened |
| Comment by Oliver Allan [ 24/Feb/22 ] |
|
I dont think it helps in my case as I am using Kafka Connect |
| Comment by Jeffrey Yemin [ 21/Dec/21 ] |
|
hsadafi@vistaprint.com and anyone else watching this issue, we'd like to get feedback about whether |
| Comment by Jeffrey Yemin [ 09/Sep/21 ] |
|
Linked to |
| Comment by Oliver Allan [ 12/Aug/21 ] |
|
Hi Ross Could you update on where this is please? Any rough ETA (very rough will do!) would be appreciated Really need this on a project we are working on Thanks Oli |
| Comment by Ross Lawley [ 28/Apr/21 ] |
|
Thanks for the PR, that's super helpful and has given me a good scope of whats required. No need to do PR's for other languages. In general for our specification process, if and when a feature is accepted and added to the specification then drivers can start planning implementations. This helps ensure that driver features don't diverge and helps with the planning process of supporting new features. To set expectations, depending on backlogs this may not be scheduled for a while but I will update this ticket once I have more information. Ross |
| Comment by houtan sadafi [ 27/Apr/21 ] |
|
Hi Ross, I opened a draft pull request on github. Withe regards to support, i am happy to try and implement this in the C# and go drivers, but there are a lot of drivers to support and i doubt i can get them all done. Does this mean this feature will not be merged (if the PR is acceptable) until all drivers have that feature lined up? Warmly, |
| Comment by Ross Lawley [ 27/Apr/21 ] |
|
Thanks for the ticket, we'd be interested in a PR, so please do link to one if you can. Just to let you know that we'd have to ensure that support for pod level IAM roles is specified to be added and tested across all drivers. All the best, Ross
|
| Comment by houtan sadafi [ 27/Apr/21 ] |
|
I have forked the java driver repo and implemented the required change. I am happy to submit the pull request linking to this ticket. |