Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable AWS IAM authentication with MongoDB. #2020

Merged
merged 2 commits into from
Feb 4, 2024
Merged

Enable AWS IAM authentication with MongoDB. #2020

merged 2 commits into from
Feb 4, 2024

Conversation

jpd236
Copy link
Contributor

@jpd236 jpd236 commented Jan 31, 2024

  • Use a fixed name for the role used to run EC2 instances so it can be referenced in the MongoDB config. Note that if you try to set up JR instances across multiple regions, it will now fail due to the role name being duplicated. If this is a concern, we could append the region name to the role (but this would require one user per region in MongoDB).
  • Include aws4 in dependencies as required for AWS authentication.

@jpd236
Enable AWS IAM authentication with MongoDB.
ecc87df 
- Use a fixed name for the role used to run EC2 instances so it can be
referenced in the MongoDB config. Note that if you try to set up JR
instances across multiple regions, it will now fail due to the role
name being duplicated. If this is a concern, we could append the region
name to the role (but this would require one user per region in
MongoDB).
- Include aws4 in dependencies as required for AWS authentication.
@ebroder
Copy link
Member

ebroder commented Feb 2, 2024

Hmm. If we do this, should we also switch to accepting MONGO_URL (or MONGO_HOST maybe?) via parameter and just constructing it instead of needing credstash at all for that piece?

@jpd236
Enable passing MONGO_(OPLOG_)URL via CF parameters.
adf587e 
Since we now support using AWS credentials, these URLs are not as
sensitive and don't need to be stored with credstash. We still fall back
to using credstash if the parameters aren't specified.
@jpd236
Copy link
Contributor Author

jpd236 commented Feb 4, 2024

Sure - we now can take MongoUrl and MongoOplogUrl parameters from CF, or else fall back to credstash as before.

I was a little more hesitant to just take the host and synthesize the URL as there are a few parameters there (particularly the database name) that one might want to customize. I can do this though if preferred. FWIW, here are the URLs I've been using (just taken from what Atlas produced for my instance):

MONGO_URL=mongodb+srv://<host>/jollyroger?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority
MONGO_OPLOG_URL=mongodb+srv://host>/local?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority

@ebroder
Copy link
Member

ebroder commented Feb 4, 2024

Yeah agreed with not synthesizing the URL from hostname. LGTM!

@ebroder ebroder merged commit 5c4d981 into deathandmayhem:main Feb 4, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebroder ebroder ebroder approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jpd236 @ebroder