Skip to content

feat(NODE-7046)!: remove AWS uri/options support #4689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

feat(NODE-7046)!: remove AWS uri/options support #4689

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
9a47fca
feat(NODE-7046): remove AWS uri support
durran Sep 28, 2025
5c6d9de
test: skip relevant tests
durran Sep 30, 2025
28539cb
fix: arg placement
durran Sep 30, 2025
c6545f3
chore: submodule update
durran Sep 30, 2025
f68d8ef
feat: throw if credentials set
durran Sep 30, 2025
813cac4
fix: assume role
durran Sep 30, 2025
1c45bb2
test: bring back regular
durran Sep 30, 2025
e6c0bfd
test: regen config
durran Sep 30, 2025
cd6e6f7
test: aws handler
durran Sep 30, 2025
b5aaf29
chore: submodule
durran Sep 30, 2025
b842edc
Merge branch 'main' into NODE-7046
durran Sep 30, 2025
4b8c7d4
test: sync
durran Oct 6, 2025
22caa48
chore: comments
durran Oct 6, 2025
349827b
test: fix tests
durran Oct 6, 2025
21ca884
chore: submmodule
durran Oct 6, 2025
53274dc
refactor: back to internal
durran Oct 7, 2025
fe3959d
Merge branch 'main' into NODE-7046
durran Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .evergreen/setup-mongodb-aws-auth-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ cd $DRIVERS_TOOLS/.evergreen/auth_aws
# Create a python virtual environment.
. ./activate-authawsvenv.sh
# Source the environment variables. Configure the environment and the server.
. aws_setup.sh $AWS_CREDENTIAL_TYPE
. aws_setup.sh --nouri $AWS_CREDENTIAL_TYPE
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there some logging we can add that confirms that the aws_tester.py is correctly running with that option set? I think the current version of the script here should be passing something in, but currently nothing is printing in the run (e.g. here)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could file a ticket to update the tools script to log this, but it would be obvious if the option was set or not given the tests. In this PR if the option wasn't set the driver would be throwing an error since MONGODB_URI would have the credentials set. (But we don't want to log what our URIs are in CI or we redact them)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be useful to do this anyway for debugging purposes in the future - can you go ahead and file the corresponding ticket?


cd $BEFORE

Expand Down
2 changes: 1 addition & 1 deletion .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
[submodule "drivers-evergreen-tools"]
path = drivers-evergreen-tools
url = https://github.com/mongodb-labs/drivers-evergreen-tools.git
url = https://github.com/mongodb-labs/drivers-evergreen-tools.git
1 change: 1 addition & 0 deletions src/cmap/auth/mongo_credentials.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ export interface AuthMechanismProperties extends Document {
SERVICE_NAME?: string;
SERVICE_REALM?: string;
CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
/** @internal */
AWS_SESSION_TOKEN?: string;
/** A user provided OIDC machine callback function. */
OIDC_CALLBACK?: OIDCCallbackFunction;
Expand Down
10 changes: 4 additions & 6 deletions src/cmap/auth/mongodb_aws.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,10 @@ export class MongoDBAWS extends AuthProvider {
);
}

if (!authContext.credentials.username) {
authContext.credentials = await makeTempCredentials(
authContext.credentials,
this.credentialFetcher
);
}
authContext.credentials = await makeTempCredentials(
authContext.credentials,
this.credentialFetcher
);

const { credentials } = authContext;

Expand Down
14 changes: 14 additions & 0 deletions src/connection_string.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -423,6 +423,20 @@ export function parseOptions(
);
}

if (isAws) {
const { username, password } = mongoOptions.credentials;
if (username || password) {
throw new MongoAPIError(
'username and password cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'username and password cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK'
'username and password cannot be provided directly when using MONGODB-AWS. Credentials must be read via the AWS SDK'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hesitant to accept this change as the addition of the word "directly" to me indicates that a username and password could be provided in another fashion. In the case of AWS authentication username and password do not really apply in any form. Same with the comment on the other error message.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Open to different phrasing, but I wanted to make sure that we differentiate between the valid and invalid manner of providing the credentials, "via the sdk" isn't really actionable for users, so perhaps something along the lines "in a manner that can be read by the AWS SDK" and/or "via environment variables or a custom credential provider". Does that make sense?

);
}
if (mongoOptions.credentials.mechanismProperties.AWS_SESSION_TOKEN) {
throw new MongoAPIError(
'AWS_SESSION_TOKEN cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'AWS_SESSION_TOKEN cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK'
'AWS_SESSION_TOKEN cannot be provided directly when using MONGODB-AWS. Credentials must be read via the AWS SDK'

);
}
}

mongoOptions.credentials.validate();

// Check if the only auth related option provided was authSource, if so we can remove credentials
Expand Down
4 changes: 0 additions & 4 deletions test/integration/node-specific/examples/aws_handler.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,6 @@ const { MongoClient } = require('mongodb');
// options. Note that MongoClient now auto-connects so no need to store the connect()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to update the text in the comments to talk about doing this via env vars instead

// promise anywhere and reference it.
const client = new MongoClient(process.env.MONGODB_URI, {
auth: {
username: process.env.AWS_ACCESS_KEY_ID,
password: process.env.AWS_SECRET_ACCESS_KEY
},
authSource: '$external',
authMechanism: 'MONGODB-AWS'
});
Expand Down
15 changes: 15 additions & 0 deletions test/spec/auth/legacy/connection-string.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,21 @@
}
}
},
{
"description": "should throw an exception if username provided (MONGODB-AWS)",
"uri": "mongodb://user@localhost.com/?authMechanism=MONGODB-AWS",
"valid": false
},
{
"description": "should throw an exception if username and password provided (MONGODB-AWS)",
"uri": "mongodb://user:pass@localhost.com/?authMechanism=MONGODB-AWS",
"valid": false
},
{
"description": "should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS)",
"uri": "mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token",
"valid": false
},
{
"description": "should recognise the mechanism with test environment (MONGODB-OIDC)",
"uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test",
Expand Down
11 changes: 10 additions & 1 deletion test/spec/auth/legacy/connection-string.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,15 @@ tests:
mechanism: MONGODB-AWS
mechanism_properties:
AWS_SESSION_TOKEN: token!@#$%^&*()_+
- description: should throw an exception if username provided (MONGODB-AWS)
uri: mongodb://user@localhost.com/?authMechanism=MONGODB-AWS
valid: false
- description: should throw an exception if username and password provided (MONGODB-AWS)
uri: mongodb://user:pass@localhost.com/?authMechanism=MONGODB-AWS
valid: false
- description: should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS)
uri: mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token
valid: false
- description: should recognise the mechanism with test environment (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test
valid: true
Expand Down Expand Up @@ -468,4 +477,4 @@ tests:
(MONGODB-OIDC)
uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s
valid: false
credential: null
credential: null
9 changes: 9 additions & 0 deletions test/unit/assorted/auth.spec.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,22 @@
import { loadSpecTests } from '../../spec';
import { executeUriValidationTest } from '../../tools/uri_spec_runner';

const SKIP = [
Copy link
Contributor

@dariakp dariakp Oct 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a good file to comment on, but I was looking for changes to the prose tests, and noticed that our prose tests don't follow the convention - the relevant tests for this are in mongodb_aws.test.ts, where I think we can delete the Case 1 block. Can we move the prose tests from that file to mongodb_aws.prose.test?

'should use username and password if specified (MONGODB-AWS)',
'should use username, password and session token if specified (MONGODB-AWS)'
];

describe('Auth option spec tests (legacy)', function () {
const suites = loadSpecTests('auth', 'legacy');

for (const suite of suites) {
describe(suite.name, function () {
for (const test of suite.tests) {
it(`${test.description}`, function () {
if (SKIP.includes(test.description)) {
this.test.skipReason = `NODE-7228: ${test.description}`;
this.test.skip();
}
executeUriValidationTest(test);
});
}
Expand Down