From f63de610eaa0fe454c42267a95de41d23b8cbf72 Mon Sep 17 00:00:00 2001 From: Anastasia Alexandrova Date: Tue, 8 Aug 2023 17:57:51 +0300 Subject: [PATCH] PSMDB-1291 Documented AWS STS endpoint configuration (#744) PSMDB-1291 Documented AWS STS endpoint configuration modified: docs/aws-iam-setup.md modified: docs/aws-iam.md modified: docs/index.md --- docs/aws-iam-setup.md | 17 +++++++++++++++++ docs/aws-iam.md | 7 +++++-- docs/index.md | 2 +- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/docs/aws-iam-setup.md b/docs/aws-iam-setup.md index a20ab427..a55391aa 100644 --- a/docs/aws-iam-setup.md +++ b/docs/aws-iam-setup.md @@ -90,6 +90,23 @@ Run the following commands as root or via `sudo` $ sudo systemctl start mongod ``` +#### Configure AWS STS endpoint + +By default, all authentication requests are sent to the `sts.amazonaws.com` endpoint. If this endpoint is unavailable for some reason, you can override it and send AWS STS requests to the endpoints of your choice to ensure successful authentication. You must [enable the AWS region](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) to use it. + +Edit the `/etc/mongod.conf` configuration file and specify the AWS endpoint for the `awsStsHost` parameter. + +```yaml +security: + authorization: enabled + +setParameter: + authenticationMechanisms: MONGODB-AWS + awsStsHost: +``` + +See the [list of AWS endpoints](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints). + ## Authenticate in Percona Server for MongoDB using AWS IAM To test the authentication, use either of the following methods: diff --git a/docs/aws-iam.md b/docs/aws-iam.md index e663164e..715aeab2 100644 --- a/docs/aws-iam.md +++ b/docs/aws-iam.md @@ -32,8 +32,10 @@ For either type of AWS IAM authentication, the flow is the following: The `mongo` client never sends the secret access key to Percona Server for MongoDB. 3. Percona Server for MongoDB sends the received credentials to the AWS STS (Security Token Service) for verification -5. The AWS STS service validates whether the signature is correct and answers with the user / role ARN that created the signature -6. Percona Server for MongoDB looks for the same username as the received ARN in the `$external` database and grants privileges to access Percona Server for MongoDB as defined for the respective user. +4. The AWS STS service validates whether the signature is correct and answers with the user / role ARN that created the signature +5. Percona Server for MongoDB looks for the same username as the received ARN in the `$external` database and grants privileges to access Percona Server for MongoDB as defined for the respective user. + +Starting with version [6.0.6-8](release_notes/6.0.6-8.md), you can [configure the AWS STS endpoint](aws-iam-setup.md#configure-aws-sts-endpoint) by specifying the `setParameter.awsStsHost` in the configuration file. This allows you to send requests to the AWS resources of your choice to meet security requirements of your organization and ensure successful authentication. !!! admonition "See also" @@ -42,6 +44,7 @@ For either type of AWS IAM authentication, the flow is the following: * [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) * [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction) * [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) + * [Managing AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) * MongoDB documentation: [Set Up Passwordless Authentication with AWS IAM](https://www.mongodb.com/docs/atlas/security/passwordless-authentication/#std-label-passwordless-auth-aws-no-saml) diff --git a/docs/index.md b/docs/index.md index 0303943d..ea557800 100644 --- a/docs/index.md +++ b/docs/index.md @@ -26,7 +26,7 @@ Percona Server for MongoDB provides the following features: * [External authentication](authentication.md#ext-auth) using OpenLDAP or Active Directory -* [AWS IAM authentication](aws-iam.md) (a [technical preview feature](glosary.md#technical-preview-feature)) +* [AWS IAM authentication](aws-iam.md) (a [technical preview feature](glossary.md#technical-preview-feature)) * [Audit logging](audit-logging.md) to track and query database interactions of users or applications