[SERVER-54799] AWS IAM Auth does not support ARNs for AWS China and Gov regions where the ARN does not start with "arn:aws:iam" Created: 25/Feb/21 Updated: 29/Oct/23 Resolved: 22/Mar/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.9.0, 4.4.6 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Ralph Capasso | Assignee: | Benjamin Caimano (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Backport Requested: |
v4.4
|
||||||||
| Sprint: | Security 2021-03-22, Security 2021-04-05 | ||||||||
| Participants: | |||||||||
| Linked BF Score: | 169 | ||||||||
| Description |
|
When trying to authenticate from ARNs for AWS China and Gov regions, the server throws an error message:
It appears the code needs to be updated in the following places: Example ARNs:
Note that for roles, Atlas converts the ARNs to the STS format. |
| Comments |
| Comment by Githook User [ 22/Mar/21 ] |
|
Author: {'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}Message: |
| Comment by James Heppenstall [ 25/Feb/21 ] |
|
ryan.egesdahl that makes sense. Just wanted to highlight that if there are any other instances in the codebase where we're matching arn:aws:* then those should also be updated as part of this ticket |
| Comment by James Heppenstall [ 25/Feb/21 ] |
|
If there are any other instances in the server codebase where AWS arns are being used, we should also update them to handle prefixes for China (arn:aws-cn:*) and Gov (arn:aws-us-gov:*) |