[JAVA-4118] Add support for EKS when using AWS Iam roles for database authentication Created: 27/Apr/21  Updated: 12/Jan/23  Resolved: 12/Jan/23

Status: Closed
Project: Java Driver
Component/s: Authentication, Kubernetes
Affects Version/s: None
Fix Version/s: 4.8.0

Type: New Feature Priority: Critical - P2
Reporter: houtan sadafi Assignee: Rachelle Palmer
Resolution: Done Votes: 4
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on DRIVERS-1746 Add native support for AWS IAM Roles ... Closed
Documented
Duplicate
duplicates JAVA-4234 Add native support for AWS IAM Roles ... Closed
is duplicated by JAVA-4179 Authenticate to mongo ATLAS using AWS... Closed
Related
related to JAVA-4292 AWS credential refreshing Closed
is related to KAFKA-297 Support configuration of an AWS crede... Closed
Case:
Backwards Compatibility: Fully Compatible
Documentation Changes: Needed

 Description   

Currently Mongodb java driver supports authenticating against a database using AWS IAM roles, unfortunately this is only supported for applications running on EC2 or ECS tasks, it does not support Elastic Kubernetes Service - unless you grant the role at the node level which would mean every pod on that node gets access to that role and goes against the principal of least privilege.

EKS recently introduced IAM Roles for service accounts which basically gives pods an IAM role, this is exposed as an environment variable with an open id connect token that can get handed to AWS sts for a set of temporary creds (much like ECS/EC2).

This improvement would be fantastic especially for those who are running on kubernetes in AWS.



 Comments   
Comment by Rachelle Palmer [ 12/Jan/23 ]

Hello all,
This feature has been delivered in the Java driver version 4.8.0. Please see our release notes here and let us know if you have any feedback.

Thank you!
Rachelle

Comment by Oliver Allan [ 01/Mar/22 ]

thank you Jeffrey

Comment by Jeffrey Yemin [ 01/Mar/22 ]

oliver.allan@metrobank.plc.uk I opened KAFKA-297 to track support for AWS credential callback within Kafka connector.

Comment by Oliver Allan [ 24/Feb/22 ]

I dont think it helps in my case as I am using Kafka Connect

Comment by Jeffrey Yemin [ 21/Dec/21 ]

hsadafi@vistaprint.com and anyone else watching this issue, we'd like to get feedback about whether JAVA-4292 provides sufficient support to handle this use case.

Comment by Jeffrey Yemin [ 09/Sep/21 ]

Linked to JAVA-4292, which proposes an alternative approach for enabling applications to use EKS.

Comment by Oliver Allan [ 12/Aug/21 ]

Hi Ross

Could you update on where this is please? Any rough ETA (very rough will do!) would be appreciated

Really need this on a project we are working on 

Thanks

Oli

Comment by Ross Lawley [ 28/Apr/21 ]

Hi hsadafi@vistaprint.com,

Thanks for the PR, that's super helpful and has given me a good scope of whats required. No need to do PR's for other languages.

In general for our specification process, if and when a feature is accepted and added to the specification then drivers can start planning implementations. This helps ensure that driver features don't diverge and helps with the planning process of supporting new features.

To set expectations, depending on backlogs this may not be scheduled for a while but I will update this ticket once I have more information.

Ross

Comment by houtan sadafi [ 27/Apr/21 ]

Hi Ross,

I opened a draft pull request on github.

Withe regards to support, i am happy to try and implement this in the C# and go drivers, but there are a lot of drivers to support and i doubt i can get them all done. Does this mean this feature will not be merged (if the PR is acceptable) until all drivers have that feature lined up?

Warmly,
Houtan

Comment by Ross Lawley [ 27/Apr/21 ]

Hi hsadafi@vistaprint.com,

Thanks for the ticket, we'd be interested in a PR, so please do link to one if you can.

Just to let you know that we'd have to ensure that support for pod level IAM roles is specified to be added and tested across all drivers.

All the best,

Ross

 

Comment by houtan sadafi [ 27/Apr/21 ]

I have forked the java driver repo and implemented the required change. I am happy to submit the pull request linking to this ticket.

Generated at Thu Feb 08 09:01:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.