Skip to content

Commit

Permalink
PSMDB-1291 Documented AWS STS endpoint configuration (#744)
Browse files Browse the repository at this point in the history
PSMDB-1291 Documented AWS STS endpoint configuration

modified:   docs/aws-iam-setup.md
modified:   docs/aws-iam.md
modified:   docs/index.md
  • Loading branch information
nastena1606 authored Aug 8, 2023
1 parent 2f84cd4 commit f63de61
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 3 deletions.
17 changes: 17 additions & 0 deletions docs/aws-iam-setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,23 @@ Run the following commands as root or via `sudo`
$ sudo systemctl start mongod
```

#### Configure AWS STS endpoint

By default, all authentication requests are sent to the `sts.amazonaws.com` endpoint. If this endpoint is unavailable for some reason, you can override it and send AWS STS requests to the endpoints of your choice to ensure successful authentication. You must [enable the AWS region](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) to use it.

Edit the `/etc/mongod.conf` configuration file and specify the AWS endpoint for the `awsStsHost` parameter.

```yaml
security:
authorization: enabled
setParameter:
authenticationMechanisms: MONGODB-AWS
awsStsHost: <aws-endpoint>
```

See the [list of AWS endpoints](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints).

## Authenticate in Percona Server for MongoDB using AWS IAM

To test the authentication, use either of the following methods:
Expand Down
7 changes: 5 additions & 2 deletions docs/aws-iam.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,10 @@ For either type of AWS IAM authentication, the flow is the following:
The `mongo` client never sends the secret access key to Percona Server for MongoDB.

3. Percona Server for MongoDB sends the received credentials to the AWS STS (Security Token Service) for verification
5. The AWS STS service validates whether the signature is correct and answers with the user / role ARN that created the signature
6. Percona Server for MongoDB looks for the same username as the received ARN in the `$external` database and grants privileges to access Percona Server for MongoDB as defined for the respective user.
4. The AWS STS service validates whether the signature is correct and answers with the user / role ARN that created the signature
5. Percona Server for MongoDB looks for the same username as the received ARN in the `$external` database and grants privileges to access Percona Server for MongoDB as defined for the respective user.

Starting with version [6.0.6-8](release_notes/6.0.6-8.md), you can [configure the AWS STS endpoint](aws-iam-setup.md#configure-aws-sts-endpoint) by specifying the `setParameter.awsStsHost` in the configuration file. This allows you to send requests to the AWS resources of your choice to meet security requirements of your organization and ensure successful authentication.

!!! admonition "See also"

Expand All @@ -42,6 +44,7 @@ For either type of AWS IAM authentication, the flow is the following:
* [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html)
* [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction)
* [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html)
* [Managing AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)

* MongoDB documentation: [Set Up Passwordless Authentication with AWS IAM](https://www.mongodb.com/docs/atlas/security/passwordless-authentication/#std-label-passwordless-auth-aws-no-saml)

Expand Down
2 changes: 1 addition & 1 deletion docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Percona Server for MongoDB provides the following features:
* [External authentication](authentication.md#ext-auth)
using OpenLDAP or Active Directory

* [AWS IAM authentication](aws-iam.md) (a [technical preview feature](glosary.md#technical-preview-feature))
* [AWS IAM authentication](aws-iam.md) (a [technical preview feature](glossary.md#technical-preview-feature))

* [Audit logging](audit-logging.md) to track and query database interactions of users or applications

Expand Down

0 comments on commit f63de61

Please sign in to comment.