mongodb · blink1073 · May 30, 2025
@@ -1009,7 +1009,8 @@ The order in which Drivers MUST search for credentials is:
 2. Environment variables
 3. A custom AWS credential provider if the driver supports it.
 4. Using `AssumeRoleWithWebIdentity` if `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` are set.
-5. The ECS endpoint if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is set. Otherwise, the EC2 endpoint.
+5. The EKS endpoint if `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` are set.
+6. The ECS endpoint if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is set. Otherwise, the EC2 endpoint.
 
 > [!NOTE]
 > See *Should drivers support accessing Amazon EC2 instance metadata in Amazon ECS* in [Q & A](#q-and-a)
@@ -1099,6 +1100,33 @@ The JSON response from the STS endpoint will contain credentials in this format:
 
 Note that the token is called `SessionToken` and not `Token` as it would be with other credential responses.
 
+##### EKS endpoint
+
+If a username and password are not provided and the aforementioned environment variables are not set and
+`AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` are set, then drivers MUST use the
+Amazon EKS Pod Identity endpoint to get the credentials. Drivers SHOULD enforce a 10 second read timeout while waiting
+for incoming content.
+
+The "Authorization" header value for the request is obtained by reading the contents of the file given by
+`AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE`.
+
+Querying the URI will return the JSON response:
+
+```javascript
+{
+ "AccessKeyId": <access_key>,
+ "Expiration": <date>,
+ "SecretAccessKey": <secret_access_key>,
+ "Token": <security_token>
+ "AccountId": <aws_account_id>
+}
+```
+
+```bash
+$ TOKEN=$(cat $AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE)
+$ curl -H Authorization:$TOKEN $AWS_CONTAINER_CREDENTIALS_FULL_URI
+```
+
 ##### ECS endpoint
 
 If a username and password are not provided and the aforementioned environment variables are not set, drivers MUST query

@@ -5,11 +5,12 @@ Drivers MUST test the following scenarios:
 1. `Regular Credentials`: Auth via an `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` pair
 2. `EC2 Credentials`: Auth from an EC2 instance via temporary credentials assigned to the machine
 3. `ECS Credentials`: Auth from an ECS instance via temporary credentials assigned to the task
-4. `Assume Role`: Auth via temporary credentials obtained from an STS AssumeRole request
-5. `Assume Role with Web Identity`: Auth via temporary credentials obtained from an STS AssumeRoleWithWebIdentity
+4. `EKS Credentials`: Auth from an EKS instance via temporary credentials assigned to the pod
+5. `Assume Role`: Auth via temporary credentials obtained from an STS AssumeRole request
+6. `Assume Role with Web Identity`: Auth via temporary credentials obtained from an STS AssumeRoleWithWebIdentity
     request
-6. `AWS Lambda`: Auth via environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
-7. Caching of AWS credentials fetched by the driver.
+7. `AWS Lambda`: Auth via environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
+8. Caching of AWS credentials fetched by the driver.
 
 For brevity, this section gives the values `<AccessKeyId>`, `<SecretAccessKey>` and `<Token>` in place of a valid access
 key ID, secret access key and session token (also known as a security token). Note that if these values are passed into
@@ -66,6 +67,14 @@ mongodb://localhost/?authMechanism=MONGODB-AWS
 > No username, password or session token is passed into the URI. Drivers MUST query the ECS container endpoint to obtain
 > these credentials.
 
+## EKS Credentials
+
+Drivers MUST be able to authenticate from an EKS pod via temporary credentials. A sample URI in an EKS pod would be:
+
+```text
+mongodb://mongodb-1234:27017/?authMechanism=MONGODB-AWS
+```
+
 ## AssumeRole
 
 Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary