3 results found

1. Golang Driver - MongoDB-AWS Authentication support for any short-lived STS token

   The Golang driver supports "MONGODB-AWS" AuthMechanism when you have:

   • a AWS_WEB_IDENTITY_TOKEN_FILE and ROLE_ARN environment variable, eg when supplied by IAM Roles for Service Accounts (IRSA), typical in Kubernetes clusters (assume_role_provider)
   • a AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable, typical in AWS Elastic Container Service (ECS) clusters (ecs_provider)
   • an AWS EC2 Instance Profile attached, such as when running on an EC2 instance with the Instance Metadata Service enabled. (ec2_provider)
   • IAM User or STS keys - either directly as environment variables, or via directly setting on a Credential object (env_provider and static_provider)

   These are all in the mongo-go-driver at https://github.com/mongodb/mongo-go-driver/tree/v1/internal/credproviders

   Token Refreshing is required with short-lived credentials, when you want to maintain a long-lived connection to Mongo. At any time the Mongo Cluster's topology may change (eg due to failover, upgrades, adding extra replicas, etc). With short-lived credentials, they must be renewed before trying to (re)start connections to the Mongo cluster.

   All of the cred providers, except env_provider and static_provider support Token Refreshing.

   This means that a developer who's access to AWS is through short-lived STS tokens via a Federated login (AWS SSO, Okta, etc) are not able to authenticate to Mongo for more than their token's expiry time.

   It also means other methods of authenticating to AWS are not supported.

   This request is to support one of the following:

   A) Provide an sts_token_provider, which can try calling the AWS SDK directly to issue a short-lived token, and refresh it prior to expiry
   B) Provide a way for a consumer of the mongo-go-driver to inject their own credprovider, which can obtain and refresh the token.
   C) Provide a way to set an Expiry time for env_provider and static_provider, and a callback to allow refreshing the token

   My personal preference would be for option A, however this would require including larger sections of the AWS SDK into the mongo-go-driver which may not be ideal for the Mongo team.

   My secondary preference is to allow injecting a custom credprovider. The go driver already has most of the framework for this. awscreds.NewAWSCredentialProvider[1] already has an argument for supplying more credential providers. Unfortunately the caller in mongodbaws.Auth[2] doesn't appear to allow this.

   I believe it should be relatively simple to extend the driver to allow passing in a credprovider, and it would eliminate the need for the mongo-go-driver to include more of the AWS SDK.

   [1] https://github.com/mongodb/mongo-go-driver/blob/v1/x/mongo/driver/auth/creds/awscreds.go#L33
   [2] https://github.com/mongodb/mongo-go-driver/blob/v1/x/mongo/driver/auth/mongodbaws.go#L50

   The Golang driver supports "MONGODB-AWS" AuthMechanism when you have:

   • a AWS_WEB_IDENTITY_TOKEN_FILE and ROLE_ARN environment variable, eg when supplied by IAM Roles for Service Accounts (IRSA), typical in Kubernetes clusters (assume_role_provider)
   • a AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable, typical in AWS Elastic Container Service (ECS) clusters (ecs_provider)
   • an AWS EC2 Instance Profile attached, such as when running on an EC2 instance with the Instance Metadata Service enabled. (ec2_provider)
   • IAM User or STS keys - either directly as environment variables, or via directly setting on a Credential object (env_provider and static_provider)

   These are all in the mongo-go-driver… more

   2 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   1 comment  ·  Go  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

2. Provide a mechanism for specifying default database name in connection string

   According to https://jira.mongodb.org/browse/GODRIVER-914 the connection string is only meant to specify the auth database. However, many of the official MongoDB drivers and tools also use the database specified in the connection string as the default if commands are run without specifying a database name.

   The Go driver should either mirror this behaviour found in other drivers, or a parameter should be added to the connection string to allow a default database to be explicitly defined.

   2 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Go  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

3. Have option to auto add/update timestamp

   It would be great if driver can auto update createdat and updatedat timestamp/date

   1 vote

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Go  ·  Edit…  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating