Drivers

← MongoDB Feedback Engine

How can we improve the MongoDB Drivers?

Enter your idea

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

Support for EKS Service Account Credentials in MONGODB-AWS

Support for EKS Service Account Credentials in MONGODB-AWS

It would be great to be able to authenticate to MongoDB using EKS service accounts.

Currently, the order in which Drivers MUST search for credentials is:
Credentials passed through the URI
Environment variables
ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
EC2 endpoint
(https://pymongo.readthedocs.io/en/stable/examples/authentication.html#mongodb-aws)

It is possible use the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables injected into the pod by EKS to assume the service account role and get temporary security credentials, which could then be passed to the uri as described in AssumeRole (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#assumerole).

The boto client for sts provides a assume_role_with_web_identity method that accepts role_arn and web_identity_token as parameter that can be used to obtain temporary credentials.

Rather than having to add extra boiler plate code to applications, is this something that could be supported natively by the drivers?

So the order the drivers would search for credentials might then look like the following:
Credentials passed through the URI
Environment variables
ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
Assume EKS Service acccount role to get temporary credentials if and only if AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are set
EC2 endpoint

Support for EKS Service Account Credentials in MONGODB-AWS

It would be great to be able to authenticate to MongoDB using EKS service accounts.

Currently, the order in which Drivers MUST search for credentials is:
Credentials passed through the URI
Environment variables
ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
EC2 endpoint
(https://pymongo.readthedocs.io/en/stable/examples/authentication.html#mongodb-aws)

It is possible use the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables injected into the pod by EKS to assume the service account role and get temporary security credentials, which could then be passed to the uri as described in AssumeRole (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#assumerole).

The boto client…

22 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

planned · 0 comments · Python · Flag idea as inappropriate… · Delete… · Admin →
CSFLE - Integration with more KMS providers like Hashicorp Vault

Automatic CSFLE - To generate and manage the Customer Master key, can we add more KMS providers like Hashicorp Vault. KMS providers currently supported are only: Amazon Web Services KMS and Locally Managed Keyfile.

To work with Hashicorp Vault, it seems, we need to choose Locally Managed Keyfile as the KMS provider. This means that the Master key will be fetched from Vault in memory and then used in the code to encrypt/decrypt the DEK (Data Encryption Key). Ideally, the decryption of DEK should happen in the vault itself as a best practice, and master key should not be brought out of Vault.

Using only AWS KMS is a limitation. Using Locally Managed Keyfile to read key from
another KMS and then use in application is not secure.

Can more KMS providers be supported in a more secure way?

Thanks

Automatic CSFLE - To generate and manage the Customer Master key, can we add more KMS providers like Hashicorp Vault. KMS providers currently supported are only: Amazon Web Services KMS and Locally Managed Keyfile.

To work with Hashicorp Vault, it seems, we need to choose Locally Managed Keyfile as the KMS provider. This means that the Master key will be fetched from Vault in memory and then used in the code to encrypt/decrypt the DEK (Data Encryption Key). Ideally, the decryption of DEK should happen in the vault itself as a best practice, and master key should not be brought…

10 votes

We're glad you're here
Please sign in to leave feedback

Signed in as (Sign out)

Close

Close

We’ll send you updates on this idea

0 comments · Add a new driver · Flag idea as inappropriate… · Delete… · Admin →

planned · AdminRachelle (Admin, MongoDB) responded

Hi all,
With the release of server 5.0 this coming July, we will also GA our integration with Azure and GCP as KMS providers. Hashicorp Vault is planned for later in 2021, along with generic or custom built key management solution support.

Don't see your idea?

Drivers

How can we improve the MongoDB Drivers?

Support for EKS Service Account Credentials in MONGODB-AWS

CSFLE - Integration with more KMS providers like Hashicorp Vault

Feedback

Drivers

Feedback and Knowledge Base

Searching…

Give feedback

Your password has been reset

How can we improve the MongoDB Drivers?

We're glad you're here

Support for EKS Service Account Credentials in MONGODB-AWS

We're glad you're here

CSFLE - Integration with more KMS providers like Hashicorp Vault

We're glad you're here

We're glad you're here

We're glad you're here

Drivers

Categories

Searching…

Give feedback

Your password has been reset