Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-3165

MongoDB-AWS Authentication support for any short-lived STS token

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • 2.1.0
    • Affects Version/s: None
    • Component/s: Authentication
    • None
    • Go Drivers

      The Golang driver supports "MONGODB-AWS" AuthMechanism when you have:

      a AWS_WEB_IDENTITY_TOKEN_FILE and ROLE_ARN environment variable, eg when supplied by IAM Roles for Service Accounts (IRSA), typical in Kubernetes clusters (assume_role_provider)
      a AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable, typical in AWS Elastic Container Service (ECS) clusters (ecs_provider)
      an AWS EC2 Instance Profile attached, such as when running on an EC2 instance with the Instance Metadata Service enabled. (ec2_provider)
      IAM User or STS keys - either directly as environment variables, or via directly setting on a Credential object (env_provider and static_provider)
      These are all in the mongo-go-driver at https://github.com/mongodb/mongo-go-driver/tree/v1/internal/credproviders

      Token Refreshing is required with short-lived credentials, when you want to maintain a long-lived connection to Mongo. At any time the Mongo Cluster's topology may change (eg due to failover, upgrades, adding extra replicas, etc). With short-lived credentials, they must be renewed before trying to (re)start connections to the Mongo cluster.

      All of the cred providers, except env_provider and static_provider support Token Refreshing.

      This means that a developer who's access to AWS is through short-lived STS tokens via a Federated login (AWS SSO, Okta, etc) are not able to authenticate to Mongo for more than their token's expiry time.

      It also means other methods of authenticating to AWS are not supported.

      This request is to support one of the following:

      A) Provide an sts_token_provider, which can try calling the AWS SDK directly to issue a short-lived token, and refresh it prior to expiry
      B) Provide a way for a consumer of the mongo-go-driver to inject their own credprovider, which can obtain and refresh the token.
      C) Provide a way to set an Expiry time for env_provider and static_provider, and a callback to allow refreshing the token

      My personal preference would be for option A, however this would require including larger sections of the AWS SDK into the mongo-go-driver which may not be ideal for the Mongo team.

      My secondary preference is to allow injecting a custom credprovider. The go driver already has most of the framework for this. awscreds.NewAWSCredentialProvider[1] already has an argument for supplying more credential providers. Unfortunately the caller in mongodbaws.Auth[2] doesn't appear to allow this.

      I believe it should be relatively simple to extend the driver to allow passing in a credprovider, and it would eliminate the need for the mongo-go-driver to include more of the AWS SDK.

      [1] https://github.com/mongodb/mongo-go-driver/blob/v1/x/mongo/driver/auth/creds/awscreds.go#L33
      [2] https://github.com/mongodb/mongo-go-driver/blob/v1/x/mongo/driver/auth/mongodbaws.go#L50

            Assignee:
            Unassigned Unassigned
            Reporter:
            alex.bevilacqua@mongodb.com Alex Bevilacqua
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: