Skip to content

feat(NODE-6141): allow custom aws sdk config #4373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 25 commits into from
Mar 14, 2025
Merged

feat(NODE-6141): allow custom aws sdk config #4373

merged 25 commits into from
Mar 14, 2025

Conversation

@durran
Copy link
Member

@durran durran commented Jan 17, 2025
edited
Loading

Description

Allows users to provide a custom AWS credential provider for use with MONGODB-AWS authentication.

What is changing?

  • Allow passing a AWS_CREDENTIAL_PROVIDER auth mechanism property to fetch credentials.
  • Passes user provided credential provider to the AWS auth provider.
  • For client side encryption, allows a credentialProviders option to both client encryption options and auto encryption options.
Is there new documentation needed for these changes?

Updates to the AWS auth section in the driver manual.

What is the motivation for this change?

NODE-6141

Release Highlight

Support for custom AWS credential providers

The driver now supports a user supplied custom AWS credentials provider for both authentication and for KMS requests when using client side encryption. The signature for the custom provider must be of () => Promise<AWSCredentials> which matches that of the official AWS SDK provider API. Provider chains from the actual AWS SDK can also be provided, allowing users to customize any of those options.

Example for authentication with a provider chain from the AWS SDK:

import { fromNodeProviderChain } from '@aws-sdk/credential-providers';

const client = new MongoClient(process.env.MONGODB_URI, {
  authMechanismProperties: {
    AWS_CREDENTIAL_PROVIDER: fromNodeProviderChain()
  }
});

Example for using a custom provider for KMS requests only:

import { fromNodeProviderChain } from '@aws-sdk/credential-providers';

const client = new MongoClient(process.env.MONGODB_URI, {
  autoEncryption: {
    keyVaultNamespace: 'keyvault.datakeys',
    kmsProviders: { aws: {} },
    credentialProviders: {
      aws: fromNodeProviderChain()
    }
  }
}

Custom providers do not need to come from the AWS SDK, they just need to be an async function that returns credentials:

const client = new MongoClient(process.env.MONGODB_URI, {
  authMechanismProperties: {
    AWS_CREDENTIAL_PROVIDER: async () => {
      return {
        accessKeyId: process.env.ACCESS_KEY_ID,
        secretAccessKey: process.env.SECRET_ACCESS_KEY
      }
    }
  }
});

Double check the following

  • Ran npm run check:lint script
  • Self-review completed using the steps outlined here
  • PR title follows the correct format: type(NODE-xxxx)[!]: description
    • Example: feat(NODE-1234)!: rewriting everything in coffeescript
  • Changes are covered by tests
  • New TODOs have a related JIRA ticket

@durran durran changed the title feat(NODE-6161): allow custom aws sdk config feat(NODE-6141): allow custom aws sdk config Jan 28, 2025
@durran durran force-pushed the NODE-6141 branch 3 times, most recently from cc7c745 to 39e8251 Compare January 29, 2025 12:56
@durran durran mentioned this pull request Jan 29, 2025
Merged
3 tasks
@durran durran force-pushed the NODE-6141 branch 3 times, most recently from cf513cc to 79272e8 Compare February 12, 2025 18:53
@durran durran force-pushed the NODE-6141 branch 3 times, most recently from 5469458 to 32490b5 Compare February 24, 2025 10:55
@durran durran force-pushed the NODE-6141 branch 3 times, most recently from 001f3d5 to 120f0e6 Compare March 3, 2025 13:06
@durran durran marked this pull request as ready for review March 4, 2025 12:04
@durran durran requested a review from a team as a code owner March 4, 2025 12:04
@W-A-James W-A-James self-assigned this Mar 4, 2025
@W-A-James W-A-James requested review from W-A-James and removed request for a team March 4, 2025 20:41
@W-A-James W-A-James added the Primary Review In Review with primary reviewer, not yet ready for team's eyes label Mar 4, 2025
W-A-James
W-A-James previously requested changes Mar 4, 2025
View reviewed changes
@durran durran force-pushed the NODE-6141 branch 2 times, most recently from 0418b98 to 3733848 Compare March 9, 2025 20:10
@nbbeeken nbbeeken added Team Review Needs review from team and removed Primary Review In Review with primary reviewer, not yet ready for team's eyes labels Mar 10, 2025
@nbbeeken nbbeeken self-requested a review March 10, 2025 14:20
nbbeeken
nbbeeken previously approved these changes Mar 10, 2025
View reviewed changes
@baileympearson
Copy link
Contributor

baileympearson commented Mar 14, 2025

CI failures unrelated and skipped in #4467.

@baileympearson baileympearson merged commit 3d047ed into main Mar 14, 2025
27 of 30 checks passed
@baileympearson baileympearson deleted the NODE-6141 branch March 14, 2025 16:14
@github-actions github-actions bot mentioned this pull request Mar 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baileympearson baileympearson baileympearson approved these changes

@W-A-James W-A-James Awaiting requested review from W-A-James

+1 more reviewer

@nbbeeken nbbeeken nbbeeken approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@baileympearson baileympearson

Labels

Team Review Needs review from team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@durran @baileympearson @nbbeeken @W-A-James