<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:24:20 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DRIVERS-1941] Add MONGODB-AWS Support for EKS Service Account Auth</title>
                <link>https://jira.mongodb.org/browse/DRIVERS-1941</link>
                <project id="10980" key="DRIVERS">Drivers</project>
                    <description>&lt;div class=&quot;panel&quot; style=&quot;background-color: #fafbfc;border-width: 1px;&quot;&gt;&lt;div class=&quot;panelContent&quot; style=&quot;background-color: #fafbfc;&quot;&gt;
&lt;h3&gt;&lt;a name=&quot;Summary&quot;&gt;&lt;/a&gt;&lt;b&gt;Summary&lt;/b&gt;&lt;/h3&gt;
&lt;p&gt;&lt;font color=&quot;#1a1a1a&quot;&gt;For the MONGODB-AWS authentication mechanism, provide native driver support for obtaining AWS credentials using the preferred method of assigning Kubernetes Service Accounts to workloads.&#160;&lt;/font&gt;&lt;font color=&quot;#1a1a1a&quot;&gt;Currently, the driver &lt;a href=&quot;https://docs.atlas.mongodb.com/security/passwordless-authentication/#aws-eks&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;requires a manual STS token assume for EKS&lt;/a&gt; to happen outside of the driver. This is not only a usability issue but creates bugs with regard to the token lifetimes in failure scenarios.&lt;br/&gt;
&lt;br/&gt;
Relevant Section in Specification: &lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#obtaining-credentials&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Auth MONGODB-AWS Obtaining Credentials&lt;/a&gt;&lt;br/&gt;
Affordances are already given for ECS, EC2, and Lambda runtimes. EKS is another key runtime that should be more fully supported.&lt;br/&gt;
&lt;/font&gt;&lt;br/&gt;
&lt;b&gt;Motivation&lt;/b&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Whoistheaffectedenduser%3F&quot;&gt;&lt;/a&gt;Who is the affected end user?&lt;/h4&gt;
&lt;p&gt;AWS EKS users who are using the AWS IAM Passwordless Authentication for Atlas.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Howdoesthisaffecttheenduser%3F&quot;&gt;&lt;/a&gt;How does this affect the end user?&lt;/h4&gt;

&lt;p&gt;More code is required to authenticate outside of the driver for EKS. This involves rebuilding a connection string and creates special case code when deploying within EKS vs any other normal deployment. This increases configuration for end user apps and introduces places for bugs and misconfiguration.&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Howlikelyisitthatthisproblemorusecasewilloccur%3F&quot;&gt;&lt;/a&gt;How likely is it that this problem or use case will occur?&lt;/h4&gt;

&lt;p&gt;For any EKS users who would like to increase security by using AWS IAM roles to eliminate secrets, they will run into this issue.&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Iftheproblemdoesoccur%2Cwhataretheconsequencesandhowseverearethey%3F&quot;&gt;&lt;/a&gt;If the problem does occur, what are the consequences and how severe are they?&lt;/h4&gt;
&lt;p&gt;Failure scenarios when a connection drops and a reconnection is initiated will fail due to an expired token. This can mean applications are required to crash and restart in order to obtain valid credentials, or complex error handling will need to be implemented.&lt;/p&gt;

&lt;p&gt;As far as the usability issue, the problem occurs for every user who needs to figure out how to accomplish this authentication. Manual STS token assumption is an additional burden placed on every user within EKS.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Isthisissueurgent%3F&quot;&gt;&lt;/a&gt;Is this issue urgent?&lt;/h4&gt;

&lt;p&gt;This issue is not urgent, but the problem is significant enough to deter usage of passwordless IAM authentication which would increase end user deployment security.&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Isthisticketrequiredbyadownstreamteam%3F&quot;&gt;&lt;/a&gt;Is this ticket required by a downstream team?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;No.&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Isthisticketonlyfortests%3F&quot;&gt;&lt;/a&gt;Is this ticket only for tests?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;No.&lt;/em&gt;&lt;/p&gt;
&lt;/div&gt;&lt;/div&gt;</description>
                <environment></environment>
        <key id="1889470">DRIVERS-1941</key>
            <summary>Add MONGODB-AWS Support for EKS Service Account Auth</summary>
                <type id="14901" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14700&amp;avatarType=issuetype">Spec Change</type>
                                            <priority id="10300" iconUrl="https://jira.mongodb.org/images/icons/priorities/medium.svg">Unknown</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="kevincent@tradestation.com">Kekoa Vincent</reporter>
                        <labels>
                            <label>driver</label>
                    </labels>
                <created>Mon, 4 Oct 2021 19:15:28 +0000</created>
                <updated>Tue, 1 Feb 2022 19:08:31 +0000</updated>
                            <resolved>Tue, 1 Feb 2022 19:08:30 +0000</resolved>
                                                        <component>Authentication</component>
                                        <votes>0</votes>
                                    <watches>5</watches>
                                                                                                                <comments>
                            <comment id="4313663" author="alexander.golin" created="Tue, 25 Jan 2022 19:14:55 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=james.kovacs&quot; class=&quot;user-hover&quot; rel=&quot;james.kovacs&quot;&gt;james.kovacs&lt;/a&gt; anyone in particular we should solicit a thumbs up from re: your comment above? Otherwise sounds like we can close out! &lt;/p&gt;</comment>
                            <comment id="4113287" author="JIRAUSER1262734" created="Fri, 8 Oct 2021 16:24:16 +0000"  >&lt;p&gt;We have submitted a PR to the Go driver to share our solution and submit it for your consideration to implement similar fixes on all drivers. &lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/pull/766/files&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-go-driver/pull/766/files&lt;/a&gt;&#160;&lt;/p&gt;</comment>
                            <comment id="4109181" author="kevin.albertson" created="Thu, 7 Oct 2021 02:10:38 +0000"  >&lt;p&gt;Thank you for the detailed description and PR&#160;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=kevincent%40tradestation.com&quot; class=&quot;user-hover&quot; rel=&quot;kevincent@tradestation.com&quot;&gt;kevincent@tradestation.com&lt;/a&gt;!&#160;&lt;/p&gt;</comment>
                            <comment id="4100548" author="JIRAUSER1262734" created="Mon, 4 Oct 2021 19:18:52 +0000"  >&lt;p&gt;Also opened PR at &lt;a href=&quot;https://github.com/mongodb/specifications/pull/1075&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/specifications/pull/1075&lt;/a&gt;&#160;.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="1953998">DRIVERS-2011</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="1953998">DRIVERS-2011</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1710421">DRIVERS-1746</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                            <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10951" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Driver Changes</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10748"><![CDATA[Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hznyg7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>