feat(NODE-6094) RFC: Allow the Mongo-AWS creds provider to handle assuming an AWS IAM role. #4081
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
What is changing?
The MONGODB-AWS credential provider will now check if you pass a var AWS_ROLE_ARN as part of your auth mechanism properties. If you do, it will assume that role for you using the AWS SDK's credential provider, which will handle session expiry and re-authentication.
Is there new documentation needed for these changes?
Yes.
What is the motivation for this change?
In our org, we're using the mongo creds provider with an assumed role. We are assuming the role ourselves and passing the resulting key, secret, and session token to the mongo connector. This works fine...
... until the STS session expires.
At this point we need to implement full expiry and reconnection logic ourselves. This sucks - it's finicky, and the code to handle it already exists in both this repository and in the aws-sdk, probably more reliably than we'll ever manage.
It's also annoying because it has to exist outside of the connection pool, and must kill the whole pool. This is the sort of thing a pool should manage for you.
Because of this, we'd really like if the Mongo connector could handle assuming a role for the user. That way we don't need to do all this invalidation + reconnection stuff ourselves, and it lives inside the pool where it belongs. As a selling point to you guys, it actually lives in the aws sdks, not mongo. There is no reconnection logic added as part of this PR as none is needed with this approach.
I haven't set up automated tests with this approach yet, I'd ask for a go/no-go before going to that effort :)
Thanks for your consideration!
Code notes
Most of the changes are just to pass through the authmechanismproperties to where they are needed. This is the first commit.
You'll see the second commit, actually doing the role assumption, is quite small.
Release Highlight
Fill in title or leave empty for no highlight
Double check the following
npm run check:lint
scripttype(NODE-xxxx)[!]: description
feat(NODE-1234)!: rewriting everything in coffeescript