New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSHARP-4463: Add aws auth connectivity examples. #1004
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,162 @@ | ||
/* Copyright 2010-present MongoDB Inc. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
using System; | ||
using MongoDB.Bson; | ||
using MongoDB.TestHelpers.XunitExtensions; | ||
using Xunit; | ||
|
||
namespace MongoDB.Driver.Examples.Aws | ||
{ | ||
/// <summary> | ||
/// Atlas preconditions for local run: | ||
/// 1. Get your AWS_* (aws_access_key_id, aws_secret_access_key, aws_session_token (optional, but Pay attention that the value should be regenerated from time to time.)) credentials. | ||
/// You may use `Command line or programming access` page on ..aws.amazon.com | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
programming access => programmatic access There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
the full url contains particular company or region related address parts. But It's possible to provide more detailed address path (changed now). Since effectively |
||
/// 2. Configure credentials folder here: c:\Users\{user_name}\.aws\ | ||
/// 3. Get your arn via `get-caller-identity`: | ||
/// ./aws sts get-caller-identity | ||
///{ | ||
/// "UserId": "blablabla:[user_name@mongodb.com](mailto:user_name@mongodb.com)", | ||
/// "Account": "%ID_VALUE%", | ||
/// "Arn": "arn:aws:sts::%ID_VALUE%:assumed-role/%ROLE_NAME%/[user_name@mongodb.com](mailto:user_name@mongodb.com)" | ||
/// } | ||
/// pay attention on %ROLE_NAME%. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Given this is a public example, we should use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done |
||
/// </summary> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
should be at the end of the comment block.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done |
||
/// 4. list all roles via:. | ||
/// $ ./aws iam list-roles | ||
/// { | ||
/// "Roles": [ | ||
/// { | ||
/// "Path": "..", | ||
/// "RoleName": "%ROLE_NAME%", | ||
/// "Arn": "arn:aws...: | ||
/// ... | ||
/// in the provided roles, search for a record with a RoleName equal to %ROLE_NAME% and record his arn. | ||
/// 5. In your atlas cluster, create a new user with AWS authentication and set AWS IAM Role ARN from #4. | ||
/// 6. Then configure a mongoClient in the same way as it's done in these examples with MONGODB-AWS auth credentials. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. mongoClient => MongoClient (since it's the name of a class and not a variable) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done |
||
/// | ||
/// Additional notes: | ||
/// 1. To work with authentications that are not based on env vars credentials configuration, make sure that AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN are not set | ||
/// 2. To work with aws profile make sure that env variable AWS_PROFILE has appropriate value if the used aws profile is not default | ||
/// 3. To work with ECS container credentials make sure that AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI has appropriate value | ||
/// 4. To work with EC2 container credentials from EC2 instance metadata make sure a test is launched on EC2 env and AWS_CONTAINER_CREDENTIALS_* is not set | ||
/// 5. To work with Aws WebIdentityToken make sure that AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN and AWS_ROLE_SESSION_NAME are configured | ||
public class AwsAuthenticationExamples | ||
{ | ||
private static readonly string __connectionStringHosts = "<host_address>"; | ||
|
||
[Fact] | ||
public void ConnectionStringAuthConfiguration() | ||
{ | ||
// the test uses env variables only to initialize userName, password and awsSessionToken | ||
RequireEnvironment | ||
.Check() | ||
.EnvironmentVariable("AWS_ACCESS_KEY_ID") | ||
.EnvironmentVariable("AWS_SECRET_ACCESS_KEY") | ||
.EnvironmentVariable("AWS_SESSION_TOKEN"); | ||
|
||
// Start explicit aws credentials configuring via connection string | ||
var username = Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"); | ||
var password = Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY"); | ||
var awsSessionToken = Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN"); | ||
|
||
// AWS_SESSION_TOKEN is optional. If you do not need to specify an AWS session token, omit the authMechanismProperties parameter and his value. | ||
var connectionString = $"mongodb+srv://{username}:{password}@{__connectionStringHosts}?authSource=$external&authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:{awsSessionToken}"; | ||
var mongoClientSettings = MongoClientSettings.FromConnectionString(connectionString); | ||
var client = new MongoClient(mongoClientSettings); | ||
// End explicit aws credentials configuring via connection string | ||
|
||
RunHello(client); | ||
} | ||
|
||
[Fact] | ||
public void ConnectionStringAuthConfiguration_with_auto_fetching_env_variables() | ||
{ | ||
// the test uses env variables fetched inside the driver behind the scene. | ||
// Auto fetching can happen not only from env variables, but adding only a check for them as a simplest guard | ||
RequireEnvironment | ||
.Check() | ||
.EnvironmentVariable("AWS_ACCESS_KEY_ID") | ||
.EnvironmentVariable("AWS_SECRET_ACCESS_KEY") | ||
.EnvironmentVariable("AWS_SESSION_TOKEN"); // optional | ||
|
||
// Start aws authentication configuring via connection string with implicit credentials fetching | ||
var connectionString = $"mongodb+srv://{__connectionStringHosts}?authSource=$external&authMechanism=MONGODB-AWS"; | ||
var mongoClientSettings = MongoClientSettings.FromConnectionString(connectionString); | ||
var client = new MongoClient(mongoClientSettings); | ||
// End aws authentication configuring via connection string with implicit credentials fetching | ||
|
||
RunHello(client); | ||
} | ||
|
||
|
||
[Fact] | ||
public void MongoClientSettingsAuthConfiguration() | ||
{ | ||
// the test uses env variable only to initialize userName, password and awsSessionToken | ||
RequireEnvironment | ||
.Check() | ||
.EnvironmentVariable("AWS_ACCESS_KEY_ID") | ||
.EnvironmentVariable("AWS_SECRET_ACCESS_KEY") | ||
.EnvironmentVariable("AWS_SESSION_TOKEN"); | ||
|
||
// Start explicit aws credentials configuring via MongoCredential | ||
var username = Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"); | ||
var password = Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY"); | ||
var awsSessionToken = Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN"); | ||
|
||
// AWS_SESSION_TOKEN is optional. If you do not need to specify an AWS session token, omit calling WithMechanismProperty method. | ||
var awsCredentials = new MongoCredential("MONGODB-AWS", new MongoExternalIdentity(username), new PasswordEvidence(password)) | ||
.WithMechanismProperty("AWS_SESSION_TOKEN", awsSessionToken); | ||
|
||
var mongoClientSettings = MongoClientSettings.FromConnectionString($"mongodb+srv://{username}:{password}@{__connectionStringHosts}"); | ||
mongoClientSettings.Credential = awsCredentials; | ||
mongoClientSettings.ServerApi = new ServerApi(ServerApiVersion.V1, strict: true); | ||
var client = new MongoClient(mongoClientSettings); | ||
// End explicit aws credentials configuring via MongoCredential | ||
|
||
RunHello(client); | ||
} | ||
|
||
[Fact] | ||
public void MongoClientSettingsAuthConfiguration_with_auto_fetching_env_variables() | ||
{ | ||
// the test uses env variables fetched inside the driver behind the scene. | ||
// Auto fetching can happen not only from env variables, but adding only a check for them as a simplest guard | ||
RequireEnvironment | ||
.Check() | ||
.EnvironmentVariable("AWS_ACCESS_KEY_ID") | ||
.EnvironmentVariable("AWS_SECRET_ACCESS_KEY") | ||
.EnvironmentVariable("AWS_SESSION_TOKEN"); // optional | ||
|
||
// Start aws authentication configuring via MongoClientSettings with implicit credentials fetching | ||
var awsCredentials = new MongoCredential("MONGODB-AWS", new MongoExternalAwsIdentity(), new ExternalEvidence()); | ||
|
||
var mongoClientSettings = MongoClientSettings.FromConnectionString($"mongodb+srv://{__connectionStringHosts}"); | ||
mongoClientSettings.Credential = awsCredentials; | ||
mongoClientSettings.ServerApi = new ServerApi(ServerApiVersion.V1, strict: true); | ||
var client = new MongoClient(mongoClientSettings); | ||
// End aws authentication configuring via MongoClientSettings with implicit credentials fetching | ||
|
||
RunHello(client); | ||
} | ||
|
||
// private methods | ||
private void RunHello(IMongoClient client) | ||
{ | ||
client.GetDatabase(DatabaseNamespace.Admin.DatabaseName).RunCommand<BsonDocument>("{ hello : 1 }"); | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
AWS_*
environment variables should all be uppercase. e.g.AWS_ACCESS_KEY_ID
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pay => pay
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done