Support for EKS Service Account Credentials in MONGODB-AWS
Support for EKS Service Account Credentials in MONGODB-AWS
It would be great to be able to authenticate to MongoDB using EKS service accounts.
Currently, the order in which Drivers MUST search for credentials is:
Credentials passed through the URI
Environment variables
ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
EC2 endpoint
(https://pymongo.readthedocs.io/en/stable/examples/authentication.html#mongodb-aws)
It is possible use the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables injected into the pod by EKS to assume the service account role and get temporary security credentials, which could then be passed to the uri as described in AssumeRole (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#assumerole).
The boto client for sts provides a assume_role_with_web_identity method that accepts role_arn and web_identity_token as parameter that can be used to obtain temporary credentials.
Rather than having to add extra boiler plate code to applications, is this something that could be supported natively by the drivers?
So the order the drivers would search for credentials might then look like the following:
Credentials passed through the URI
Environment variables
ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set.
Assume EKS Service acccount role to get temporary credentials if and only if AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are set
EC2 endpoint
Ronan
shared this idea
This work is currently in progress- you can track your programming language of choice here https://jira.mongodb.org/browse/DRIVERS-1746
-
garland
commented
+1
Telling someone to go and manually go and fetch the identity from AWS is very undesirable. This stuff is complicated enough and to have each app go and implement this seems like not what you want your mongo customer to do when Mongo itself can implement it once and everyone out there gets this.
Security and token refresh is tricky. Let the professionals handle it on the SDK side.
-
Calvin
commented
For anybody using Node.js, we have released a package that fixes this more generally (accepts any form of refreshing AWS credentials): https://www.npmjs.com/package/mongodb-auth-aws-improved