Skip to content

Conversation

JamieTsai1024
Copy link
Contributor

@JamieTsai1024 JamieTsai1024 commented Jul 24, 2025

Replace existing implementation for getting AWS credentials by using the AWS SDK.

Currently, we have 5 places where we search for AWS credentials:

  1. The MongoDB URI
  2. Environment variables
  3. A custom AWS credential provider if the driver supports it
  4. STS AssumeRole or AssumeRoleWithWebIdentity
  5. The ECS or EC2 endpoint

Testing

For the sake of testing, the existing implementation was replaced instead of being hidden behind a feature flag.

./.evergreen/run-aws-auth.sh

cd .evergreen/auth_aws
# run this script to reconfigure the type of AWS authentication to use
# copy the block of unset and export commands output by the script and run them in the terminal window you're using to run the driver tests
./aws_setup.sh (regular | env-creds | assume-role | session-creds | web-identity)

cd ~/mongo-rust-driver 
# Run the unset and set export commands printed by `./aws_setup.sh` for environment variables 
cargo nextest run auth_aws --features aws-auth

Work to be done for RUST-1529

  • Generate signature using AWS SDK (compute_authorization_header(...))
  • Determine feature flags required
    • May restore deleted implementation from this PR, depending on whether we want to keep the AWS SDK as an optional dependency or replace the original non-SDK implementation entirely

@JamieTsai1024 JamieTsai1024 marked this pull request as ready for review July 25, 2025 20:45
@JamieTsai1024 JamieTsai1024 requested a review from a team as a code owner July 25, 2025 20:45
Copy link
Contributor

@isabelatkinson isabelatkinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I forgot to mention this regarding the testing commit I provided, but we should leave line 226 (patchable: false) in config.yml commented out while this PR is being worked on. patchable: false disables tests from running on every commit to a pull request branch - normally, we don't need to run the AWS authentication tests that frequently, but since we're making AWS-related changes we should be running the tests on this PR.

let aws_credential = {
// Limit scope of this variable to avoid holding onto the lock for the duration of
// authenticate_stream.
let cached_credential = CACHED_CREDENTIAL.lock().await;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the SDK handle credential caching? We should make sure the new implementation still caches credentials as outlined in the spec

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following up on this — as we discussed, the SDK does implement credential caching. I’ve linked the relevant documentation here in case it's helpful for future reference!

Copy link
Contributor

@isabelatkinson isabelatkinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry if some of my comments are duplicated! the github UI was being weird

isabelatkinson
isabelatkinson previously approved these changes Jul 30, 2025
Copy link
Contributor

@isabelatkinson isabelatkinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! tagging Abraham for review, and then once he approves you can remove the patchable: false change in .evergreen/config.yml

@isabelatkinson isabelatkinson requested a review from abr-egn July 30, 2025 20:33
@@ -246,6 +300,21 @@ impl AwsCredential {
}
}

// Creates AwsCredential from keys.
fn from_sdk_creds(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe have this take a Credentials instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do! Just as a heads-up, the code for from_sdk_creds will be removed in my next PR when I switch to the AWS SDK for SigV4 signing, so I didn’t prioritize cleaning it up too much. That said, your suggestion is definitely cleaner! :)

abr-egn
abr-egn previously approved these changes Jul 31, 2025
Copy link
Contributor

@abr-egn abr-egn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@JamieTsai1024 JamieTsai1024 merged commit c95787f into mongodb:main Aug 1, 2025
17 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants