[SERVER-54799] AWS IAM Auth does not support ARNs for AWS China and Gov regions where the ARN does not start with "arn:aws:iam" Created: 25/Feb/21  Updated: 29/Oct/23  Resolved: 22/Mar/21

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.9.0, 4.4.6

Type: Bug Priority: Major - P3
Reporter: Ralph Capasso Assignee: Benjamin Caimano (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.4
Sprint: Security 2021-03-22, Security 2021-04-05
Participants:
Linked BF Score: 169

 Description   

When trying to authenticate from ARNs for AWS China and Gov regions, the server throws an error message:

{"t":{"$date":"2021-02-24T21:46:18.029+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn785","msg":"Authentication failed","attr":{"mechanism":"MONGODB-AWS","principalName":"AKIA5BNHFCACSUUDSOR3","authenticationDatabase":"$external","client":"66.65.136.84:50215","result":"Location51282: Incorrect ARN"}}

It appears the code needs to be updated in the following places:
https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/sasl_aws_server_protocol.cpp#L216-L217

https://github.com/10gen/mongo-enterprise-modules/blob/07a2f1b3245d2a18a8b53482091aa32cbf9210be/src/sasl/sasl_aws_server_protocol.cpp#L41

Example ARNs:

  • arn:aws-cn:iam::123312345293:user/some.person
  • arn:aws-cn:iam::123312345293:role/my-test-kms
  • arn:aws-us-gov:iam::123312345293:user/someone.else
  • arn:aws-us-gov:iam::123312345293:role/test-role

Note that for roles, Atlas converts the ARNs to the STS format.



 Comments   
Comment by Githook User [ 22/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-54799 Ignore partition segment in ARNs
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/3e505ebefa885a38c28425189b05bdb6c86b902a

Comment by James Heppenstall [ 25/Feb/21 ]

ryan.egesdahl that makes sense. Just wanted to highlight that if there are any other instances in the codebase where we're matching arn:aws:* then those should also be updated as part of this ticket

Comment by James Heppenstall [ 25/Feb/21 ]

If there are any other instances in the server codebase where AWS arns are being used, we should also update them to handle prefixes for China (arn:aws-cn:*) and Gov (arn:aws-us-gov:*)

Generated at Thu Feb 08 05:34:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.