MongoByte MongoDB Logo

Welcome to the new MongoDB Feedback Portal!

{Improvement: "Your idea"}
We’ve upgraded our system to better capture and act on your feedback.
Your feedback is meaningful and helps us build better products.

Add new feedback Subscribe
Status Completed
Categories Drivers (ie: Node.js, Java, .NET)
Created by Guest
Created on Oct 7, 2020

RELATED FEEDBACK

Support for EKS Service Account Credentials in MONGODB-AWS

Support for EKS Service Account Credentials in MONGODB-AWS It would be great to be able to authenticate to MongoDB using EKS service accounts. Currently, the order in which Drivers MUST search for credentials is: Credentials passed through the URI Environment variables ECS endpoint if and only if AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI is set. EC2 endpoint (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#mongodb-aws) It is possible use the AWS\_ROLE\_ARN and AWS\_WEB\_IDENTITY\_TOKEN_FILE environment variables injected into the pod by EKS to assume the service account role and get temporary security credentials, which could then be passed to the uri as described in AssumeRole (https://pymongo.readthedocs.io/en/stable/examples/authentication.html#assumerole). The boto client for sts provides a assume\_role\_with\_web\_identity method that accepts role\_arn and web\_identity\_token as parameter that can be used to obtain temporary credentials. Rather than having to add extra boiler plate code to applications, is this something that could be supported natively by the drivers? So the order the drivers would search for credentials might then look like the following: Credentials passed through the URI Environment variables ECS endpoint if and only if AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI is set. Assume EKS Service acccount role to get temporary credentials if and only if AWS\_ROLE\_ARN and AWS\_WEB\_IDENTITY\_TOKEN\_FILE are set EC2 endpoint
  • ADMIN RESPONSE
    Oct 18, 2025
    This has now been completed in most drivers. * MongoDB Java driver EKS Service Account support is in driver version 4.8.0 * MongoDB C Driver EKS Service Account support is in driver version 1.2.4 * MongoDB C# Driver EKS Service Account support is in driver version 2.19.0 * MongoDB Go Driver EKS Service Account support is in driver version 1.12.0 * MongoDB Node.JS Driver EKS Service Account support is in driver version 5.1.0 * MongoDB Python Driver EKS Service Account support is in driver version 4.4.0 * MongoDB Ruby Driver EKS Service Account support is in driver version 2.19.0 * MongoDB Rust Driver EKS Service Account support is in driver version 2.6.0 If you have any questions please reach out! Rachelle
  • Guest
    Feb 14, 2024
    The MongoDB documentation for password less authentication has not been updated with the latest changes in the drivers. https://www.mongodb.com/docs/atlas/security/passwordless-authentication/
    Reply
  • Guest
    Feb 10, 2022
    +1 Telling someone to go and manually go and fetch the identity from AWS is very undesirable. This stuff is complicated enough and to have each app go and implement this seems like not what you want your mongo customer to do when Mongo itself can implement it once and everyone out there gets this. Security and token refresh is tricky. Let the professionals handle it on the SDK side.
    Reply
  • Guest
    Feb 9, 2022
    For anybody using Node.js, we have released a package that fixes this more generally (accepts any form of refreshing AWS credentials): https://www.npmjs.com/package/mongodb-auth-aws-improved
    Reply