diff --git a/source/auth/auth.md b/source/auth/auth.md index 22ac4ba845..e8de961b7d 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1009,7 +1009,8 @@ The order in which Drivers MUST search for credentials is: 2. Environment variables 3. A custom AWS credential provider if the driver supports it. 4. Using `AssumeRoleWithWebIdentity` if `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` are set. -5. The ECS endpoint if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is set. Otherwise, the EC2 endpoint. +5. The EKS endpoint if `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` are set. +6. The ECS endpoint if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is set. Otherwise, the EC2 endpoint. > [!NOTE] > See *Should drivers support accessing Amazon EC2 instance metadata in Amazon ECS* in [Q & A](#q-and-a) @@ -1099,6 +1100,33 @@ The JSON response from the STS endpoint will contain credentials in this format: Note that the token is called `SessionToken` and not `Token` as it would be with other credential responses. +##### EKS endpoint + +If a username and password are not provided and the aforementioned environment variables are not set and +`AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` are set, then drivers MUST use the +Amazon EKS Pod Identity endpoint to get the credentials. Drivers SHOULD enforce a 10 second read timeout while waiting +for incoming content. + +The "Authorization" header value for the request is obtained by reading the contents of the file given by +`AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE`. + +Querying the URI will return the JSON response: + +```javascript +{ + "AccessKeyId": , + "Expiration": , + "SecretAccessKey": , + "Token": + "AccountId": +} +``` + +```bash +$ TOKEN=$(cat $AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE) +$ curl -H Authorization:$TOKEN $AWS_CONTAINER_CREDENTIALS_FULL_URI +``` + ##### ECS endpoint If a username and password are not provided and the aforementioned environment variables are not set, drivers MUST query diff --git a/source/auth/tests/mongodb-aws.md b/source/auth/tests/mongodb-aws.md index e64335c3cc..d3511af21d 100644 --- a/source/auth/tests/mongodb-aws.md +++ b/source/auth/tests/mongodb-aws.md @@ -5,11 +5,12 @@ Drivers MUST test the following scenarios: 1. `Regular Credentials`: Auth via an `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` pair 2. `EC2 Credentials`: Auth from an EC2 instance via temporary credentials assigned to the machine 3. `ECS Credentials`: Auth from an ECS instance via temporary credentials assigned to the task -4. `Assume Role`: Auth via temporary credentials obtained from an STS AssumeRole request -5. `Assume Role with Web Identity`: Auth via temporary credentials obtained from an STS AssumeRoleWithWebIdentity +4. `EKS Credentials`: Auth from an EKS instance via temporary credentials assigned to the pod +5. `Assume Role`: Auth via temporary credentials obtained from an STS AssumeRole request +6. `Assume Role with Web Identity`: Auth via temporary credentials obtained from an STS AssumeRoleWithWebIdentity request -6. `AWS Lambda`: Auth via environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`. -7. Caching of AWS credentials fetched by the driver. +7. `AWS Lambda`: Auth via environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`. +8. Caching of AWS credentials fetched by the driver. For brevity, this section gives the values ``, `` and `` in place of a valid access key ID, secret access key and session token (also known as a security token). Note that if these values are passed into @@ -66,6 +67,14 @@ mongodb://localhost/?authMechanism=MONGODB-AWS > No username, password or session token is passed into the URI. Drivers MUST query the ECS container endpoint to obtain > these credentials. +## EKS Credentials + +Drivers MUST be able to authenticate from an EKS pod via temporary credentials. A sample URI in an EKS pod would be: + +```text +mongodb://mongodb-1234:27017/?authMechanism=MONGODB-AWS +``` + ## AssumeRole Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary