3 results found

1. Support for EKS Service Account Credentials in MONGODB-AWS

   Support for EKS Service Account Credentials in MONGODB-AWS

   It would be great to be able to authenticate to MongoDB using EKS service accounts.

   Currently, the order in which Drivers MUST search for credentials is:
   Credentials passed through the URI
   Environment variables
   ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
   EC2 endpoint
   (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#mongodb-aws)

   It is possible use the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables injected into the pod by EKS to assume the service account role and get temporary security credentials, which could then be passed to the uri as described in AssumeRole (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#assumerole).

   The boto client for sts provides a assume_role_with_web_identity method that accepts role_arn and web_identity_token as parameter that can be used to obtain temporary credentials.

   Rather than having to add extra boiler plate code to applications, is this something that could be supported natively by the drivers?

   So the order the drivers would search for credentials might then look like the following:
   Credentials passed through the URI
   Environment variables
   ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
   Assume EKS Service acccount role to get temporary credentials if and only if AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are set
   EC2 endpoint

   Support for EKS Service Account Credentials in MONGODB-AWS

   It would be great to be able to authenticate to MongoDB using EKS service accounts.

   Currently, the order in which Drivers MUST search for credentials is:
   Credentials passed through the URI
   Environment variables
   ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
   EC2 endpoint
   (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#mongodb-aws)

   It is possible use the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables injected into the pod by EKS to assume the service account role and get temporary security credentials, which could then be passed to the uri as described in AssumeRole (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#assumerole).

   The boto client… more

   30 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   2 comments  ·  Python  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close
   started  ·  AdminRachelle (Admin, MongoDB) responded

   This work is currently in progress-  you can track your programming language of choice here https://jira.mongodb.org/browse/DRIVERS-1746

2. Allow custom service names with mongodb+srv URI scheme

   We are using DCOS (marathon/mesos) to manage our services. DCOS generates SRV records for our mongos instances under a record that looks like

   mongos-mongodb.tcp.marathon.mesos
   However, there's currently no way for me to use this because when I provide a connection url like

   mongodb+srv://mongos-mongodb.tcp.marathon.mesos
   the drivers prepend "mongodb.tcp" to the provided url. It's not clear why it's required that the host must start with "mongodb.tcp". Why not let the user specify the actual DNS entry to query?

   I believe the same issue will exist for multiple orchestration frameworks such as Consul/Nomad and Kubernetes.

   5 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   started  ·  0 comments  ·  Unspecified  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

3. Allow Client Side Field Level Encryption (CSFLE) to use EC2 Instance profile credentials with KMS access

   To use CSFLE with AWS KMS, we have to specify the KMS provider key and access key. This makes it less secure b/c we now have to store the credentials that's accessible to the app. Would be great if it could leverage IAM roles for Amazon EC2 to automatically provide credentials to the instance as discussed here:

   https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-iam.html

   2 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  Node.js  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close
   started  ·  AdminRachelle (Admin, MongoDB) responded

   Hi all,
   Thank you for raising this feature request. We are currently working on AWS IAM credential support for CSFLE and anticipate release sometime this summer. Please reach out with questions or if you’d like to be part of the beta for the feature.

   Rachelle