<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 22:43:15 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[COMPASS-6478]  MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token </title>
                <link>https://jira.mongodb.org/browse/COMPASS-6478</link>
                <project id="13182" key="COMPASS">Compass </project>
                    <description>&lt;h3&gt;&lt;a name=&quot;ProblemStatement%2FRationale&quot;&gt;&lt;/a&gt;&lt;b&gt;Problem Statement/Rationale&lt;/b&gt;&lt;/h3&gt;

&lt;p&gt;&lt;font color=&quot;#505f79&quot;&gt;This is a bug equivalent to &lt;a href=&quot;https://youtrack.jetbrains.com/issue/DBE-17241/MongoDB-Atlas-AWS-IAM-auth-mechanism-implement-proper-safe-obtaining-of-key-secret-token&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;IntelliJ/YouTrack bug DBE-17241 - &#160;MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token&lt;/a&gt;.&lt;/font&gt;&lt;/p&gt;

&lt;p&gt;I&apos;m interested in logging in to a MongoDB/Atlas instance&#160;using AWS IAM credentials, an authentication mechanism already available &lt;em&gt;&quot;raw&quot;&lt;/em&gt; in Compass 1.35.0 (New Connection &#8594; Advanced Connection Options &#8594; Authentication &#8594; AWS IAM).&lt;/p&gt;

&lt;p&gt;&lt;b&gt;However&lt;/b&gt;, the current implementation is &quot;raw&quot; and lacking from a security perspective, as it merely asks users to enter an AWS {accessKeyId, secretAccessKey, sessionToken}. What I expect instead from a Mongo + AWS IAM implementation (which I did myself for a system I maintain) is this:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;Initialize the AWS SDK, which reads AWS config (at ~/.aws/config)&lt;/li&gt;
	&lt;li&gt;Present to the user an AWS MFA (Multi-Factor Authentication) challenge&lt;/li&gt;
	&lt;li&gt;Make an aws-sdk call to AWS &lt;tt&gt;STS.AssumeRole&lt;/tt&gt;&lt;/li&gt;
	&lt;li&gt;Take the (MFA-protected!) call result, a Credentials object with {{{}
{ accessKeyId, secretAccessKey, sessionToken, expiration }
&lt;p&gt;{}}}, and build an IAM/Atlas Mongo connection string internally, by doing basic string formatting + URLEncoding.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;Seeing that Compass &quot;supports&quot; AWS IAM credentials, I was expecting the same: a password/token-copypasta-less experience, MFA-protected, and using shortly-expiring tokens, invisibly to the user!&lt;/p&gt;

&lt;p&gt;But instead, I see that all Compass does currently is to ask users for an {{&lt;/p&gt;
{ accessKeyId, secretAccessKey, sessionToken }}} ! Which means that &lt;b&gt;Compass currently does none of the actual security-valuable job&lt;/b&gt; of bundling AWS&apos; SDK in the Electron app and talking to AWS STS &#128533;. As far as I understand, Compass just supports the slightly different syntax of passing IAM secrets in the connection string. But that&apos;s not where the value is! The whole point of AWS IAM + config + MFA is to not have these secrets to copy-paste in the first place!&lt;br/&gt;
&lt;br/&gt;
Said differently, I was expecting that selecting AWS IAM creds would prompt me with a { AWS config, MFA challenge } form/flow, and not a {{{ accessKeyId, secretAccessKey, sessionToken }
&lt;p&gt;}} form!&lt;/p&gt;

&lt;p&gt;Final note: I&apos;m trying to connect to an &lt;b&gt;Atlas&lt;/b&gt; instance. So, a security-legit and viable-to-me-Atlas-customer alternative to improving your AWS IAM connection would be to support logging in with Atlas+MFA credentials.&lt;/p&gt;

&lt;p&gt;Does that make sense, or am I missing something? Thanks.&lt;/p&gt;
&lt;h3&gt;&lt;a name=&quot;StepstoReproduce&quot;&gt;&lt;/a&gt;&lt;b&gt;Steps to Reproduce&lt;/b&gt;&lt;/h3&gt;

&lt;p&gt;&lt;font color=&quot;#505f79&quot;&gt;Try to connect to a MongoDB Atlas instance using Compass&apos; AWS IAM authentication method.&lt;/font&gt;&lt;/p&gt;
&lt;h3&gt;&lt;a name=&quot;ExpectedResults&quot;&gt;&lt;/a&gt;&lt;b&gt;Expected Results&lt;/b&gt;&lt;/h3&gt;

&lt;p&gt;&lt;font color=&quot;#505f79&quot;&gt;Be prompted for an AWS config form, and an MFA challenge.&lt;/font&gt;&lt;/p&gt;
&lt;h3&gt;&lt;a name=&quot;ActualResults&quot;&gt;&lt;/a&gt;&lt;b&gt;Actual Results&lt;/b&gt;&lt;/h3&gt;

&lt;p&gt;&lt;font color=&quot;#505f79&quot;&gt;Compass requests I copy-paste and give it AWS &lt;tt&gt;{ accessKeyId, secretAccessKey, sessionToken }&lt;/tt&gt;, defeating the security benefits.&lt;/font&gt;&lt;/p&gt;
&lt;h3&gt;&lt;a name=&quot;AdditionalNotes&quot;&gt;&lt;/a&gt;&lt;b&gt;Additional Notes&lt;/b&gt;&lt;/h3&gt;

&lt;p&gt;&lt;font color=&quot;#505f79&quot;&gt;Compass 1.35.0, up-to-date as of 2023-02-01.&lt;/font&gt;&lt;/p&gt;</description>
                <environment>Compass 1.35.0, up-to-date as of 2023-02-01.</environment>
        <key id="2249789">COMPASS-6478</key>
            <summary> MongoDB Atlas + AWS IAM auth mechanism: implement proper safe obtaining of key/secret/token </summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13203">Gone away</resolution>
                                        <assignee username="julia.oppenheim@mongodb.com">Julia Oppenheim</assignee>
                                    <reporter username="ronanj@unito.io">Ronan Jouchet</reporter>
                        <labels>
                    </labels>
                <created>Wed, 1 Feb 2023 16:42:34 +0000</created>
                <updated>Fri, 27 Oct 2023 20:18:40 +0000</updated>
                            <resolved>Wed, 8 Mar 2023 20:44:06 +0000</resolved>
                                    <version>1.35.0</version>
                                    <fixVersion>No version</fixVersion>
                                    <component>Connectivity</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="5259766" author="julia.oppenheim" created="Wed, 8 Mar 2023 20:44:06 +0000"  >&lt;p&gt;Moved this to our &lt;a href=&quot;https://feedback.mongodb.com/forums/924283-compass/suggestions/46273930-aws-iam-in-compass-is-mfa-protected-uses-shortly&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;feedback portal&lt;/a&gt;, so closing this ticket for now.&#160;&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 2 Feb 2023 15:56:31 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        48 weeks ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10257" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Documentation Changes</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="11861"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            48 weeks ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>julia.oppenheim@mongodb.com</customfieldvalue>
            <customfieldvalue>ronanj@unito.io</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i1tgnr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i1by7c:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i1t2t3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>