Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-54799

AWS IAM Auth does not support ARNs for AWS China and Gov regions where the ARN does not start with "arn:aws:iam"

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.9.0, 4.4.6
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL
    • v4.4
    • Security 2021-03-22, Security 2021-04-05
    • 169

      When trying to authenticate from ARNs for AWS China and Gov regions, the server throws an error message:

      {"t":{"$date":"2021-02-24T21:46:18.029+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn785","msg":"Authentication failed","attr":{"mechanism":"MONGODB-AWS","principalName":"AKIA5BNHFCACSUUDSOR3","authenticationDatabase":"$external","client":"66.65.136.84:50215","result":"Location51282: Incorrect ARN"}}
      

      It appears the code needs to be updated in the following places:
      https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/sasl_aws_server_protocol.cpp#L216-L217

      https://github.com/10gen/mongo-enterprise-modules/blob/07a2f1b3245d2a18a8b53482091aa32cbf9210be/src/sasl/sasl_aws_server_protocol.cpp#L41

      Example ARNs:

      • arn:aws-cn:iam::123312345293:user/some.person
      • arn:aws-cn:iam::123312345293:role/my-test-kms
      • arn:aws-us-gov:iam::123312345293:user/someone.else
      • arn:aws-us-gov:iam::123312345293:role/test-role

      Note that for roles, Atlas converts the ARNs to the STS format.

            Assignee:
            ben.caimano@mongodb.com Benjamin Caimano (Inactive)
            Reporter:
            ralph.capasso@mongodb.com Ralph Capasso
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: