|
| 1 | +/* Copyright 2010-present MongoDB Inc. |
| 2 | +* |
| 3 | +* Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +* you may not use this file except in compliance with the License. |
| 5 | +* You may obtain a copy of the License at |
| 6 | +* |
| 7 | +* http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +* |
| 9 | +* Unless required by applicable law or agreed to in writing, software |
| 10 | +* distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +* See the License for the specific language governing permissions and |
| 13 | +* limitations under the License. |
| 14 | +*/ |
| 15 | + |
| 16 | +using System; |
| 17 | +using MongoDB.Bson; |
| 18 | +using MongoDB.TestHelpers.XunitExtensions; |
| 19 | +using Xunit; |
| 20 | + |
| 21 | +namespace MongoDB.Driver.Examples.Aws |
| 22 | +{ |
| 23 | + /// <summary> |
| 24 | + /// Atlas preconditions for local run: |
| 25 | + /// 1. Configure AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN. If used, AWS_SESSION_TOKEN should be regenerated periodically. |
| 26 | + /// You may use `Command line or programmatic access` page on awsapps.com |
| 27 | + /// 2. Configure credentials folder here: c:\Users\{user}\.aws\ |
| 28 | + /// 3. Get your arn via `get-caller-identity`: |
| 29 | + /// ./aws sts get-caller-identity |
| 30 | + ///{ |
| 31 | + /// "UserId": "%ID%:[user@example.com]", |
| 32 | + /// "Account": "%ID_VALUE%", |
| 33 | + /// "Arn": "arn:aws:sts::%ID_VALUE%:assumed-role/%ROLE_NAME%/[user@example.com]" |
| 34 | + /// } |
| 35 | + /// pay attention on %ROLE_NAME%. |
| 36 | + /// 4. list all roles via:. |
| 37 | + /// $ ./aws iam list-roles |
| 38 | + /// { |
| 39 | + /// "Roles": [ |
| 40 | + /// { |
| 41 | + /// "Path": "..", |
| 42 | + /// "RoleName": "%ROLE_NAME%", |
| 43 | + /// "Arn": "arn:aws...: |
| 44 | + /// ... |
| 45 | + /// in the provided roles, search for a record with a RoleName equal to %ROLE_NAME% and record his arn. |
| 46 | + /// 5. In your atlas cluster, create a new user with AWS authentication and set AWS IAM Role ARN from #4. |
| 47 | + /// 6. Then configure a MongoClient in the same way as it's done in these examples with MONGODB-AWS auth credentials. |
| 48 | + /// |
| 49 | + /// Additional notes: |
| 50 | + /// 1. To work with authentications that are not based on env vars credentials configuration, make sure that AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN are not set |
| 51 | + /// 2. To work with aws profile make sure that env variable AWS_PROFILE has appropriate value if the used aws profile is not default |
| 52 | + /// 3. To work with ECS container credentials make sure that AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI has appropriate value |
| 53 | + /// 4. To work with EC2 container credentials from EC2 instance metadata make sure a test is launched on EC2 env and AWS_CONTAINER_CREDENTIALS_* is not set |
| 54 | + /// 5. To work with Aws WebIdentityToken make sure that AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN and AWS_ROLE_SESSION_NAME are configured |
| 55 | + /// </summary> |
| 56 | + public class AwsAuthenticationExamples |
| 57 | + { |
| 58 | + private static readonly string __connectionStringHosts = "<host_address>"; |
| 59 | + |
| 60 | + [Fact] |
| 61 | + public void ConnectionStringAuthConfiguration() |
| 62 | + { |
| 63 | + // the test uses env variables only to initialize userName, password and awsSessionToken |
| 64 | + RequireEnvironment |
| 65 | + .Check() |
| 66 | + .EnvironmentVariable("AWS_ACCESS_KEY_ID") |
| 67 | + .EnvironmentVariable("AWS_SECRET_ACCESS_KEY") |
| 68 | + .EnvironmentVariable("AWS_SESSION_TOKEN"); |
| 69 | + |
| 70 | + // Start explicit aws credentials configuring via connection string |
| 71 | + var username = Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"); |
| 72 | + var password = Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY"); |
| 73 | + var awsSessionToken = Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN"); |
| 74 | + |
| 75 | + // AWS_SESSION_TOKEN is optional. If you do not need to specify an AWS session token, omit the authMechanismProperties parameter and his value. |
| 76 | + var connectionString = $"mongodb+srv://{username}:{password}@{__connectionStringHosts}?authSource=$external&authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:{awsSessionToken}"; |
| 77 | + var mongoClientSettings = MongoClientSettings.FromConnectionString(connectionString); |
| 78 | + var client = new MongoClient(mongoClientSettings); |
| 79 | + // End explicit aws credentials configuring via connection string |
| 80 | + |
| 81 | + RunHello(client); |
| 82 | + } |
| 83 | + |
| 84 | + [Fact] |
| 85 | + public void ConnectionStringAuthConfiguration_with_auto_fetching_env_variables() |
| 86 | + { |
| 87 | + // the test uses env variables fetched inside the driver behind the scene. |
| 88 | + // Auto fetching can happen not only from env variables, but adding only a check for them as a simplest guard |
| 89 | + RequireEnvironment |
| 90 | + .Check() |
| 91 | + .EnvironmentVariable("AWS_ACCESS_KEY_ID") |
| 92 | + .EnvironmentVariable("AWS_SECRET_ACCESS_KEY") |
| 93 | + .EnvironmentVariable("AWS_SESSION_TOKEN"); // optional |
| 94 | + |
| 95 | + // Start aws authentication configuring via connection string with implicit credentials fetching |
| 96 | + var connectionString = $"mongodb+srv://{__connectionStringHosts}?authSource=$external&authMechanism=MONGODB-AWS"; |
| 97 | + var mongoClientSettings = MongoClientSettings.FromConnectionString(connectionString); |
| 98 | + var client = new MongoClient(mongoClientSettings); |
| 99 | + // End aws authentication configuring via connection string with implicit credentials fetching |
| 100 | + |
| 101 | + RunHello(client); |
| 102 | + } |
| 103 | + |
| 104 | + |
| 105 | + [Fact] |
| 106 | + public void MongoClientSettingsAuthConfiguration() |
| 107 | + { |
| 108 | + // the test uses env variable only to initialize userName, password and awsSessionToken |
| 109 | + RequireEnvironment |
| 110 | + .Check() |
| 111 | + .EnvironmentVariable("AWS_ACCESS_KEY_ID") |
| 112 | + .EnvironmentVariable("AWS_SECRET_ACCESS_KEY") |
| 113 | + .EnvironmentVariable("AWS_SESSION_TOKEN"); |
| 114 | + |
| 115 | + // Start explicit aws credentials configuring via MongoCredential |
| 116 | + var username = Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"); |
| 117 | + var password = Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY"); |
| 118 | + var awsSessionToken = Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN"); |
| 119 | + |
| 120 | + // AWS_SESSION_TOKEN is optional. If you do not need to specify an AWS session token, omit calling WithMechanismProperty method. |
| 121 | + var awsCredentials = new MongoCredential("MONGODB-AWS", new MongoExternalIdentity(username), new PasswordEvidence(password)) |
| 122 | + .WithMechanismProperty("AWS_SESSION_TOKEN", awsSessionToken); |
| 123 | + |
| 124 | + var mongoClientSettings = MongoClientSettings.FromConnectionString($"mongodb+srv://{username}:{password}@{__connectionStringHosts}"); |
| 125 | + mongoClientSettings.Credential = awsCredentials; |
| 126 | + mongoClientSettings.ServerApi = new ServerApi(ServerApiVersion.V1, strict: true); |
| 127 | + var client = new MongoClient(mongoClientSettings); |
| 128 | + // End explicit aws credentials configuring via MongoCredential |
| 129 | + |
| 130 | + RunHello(client); |
| 131 | + } |
| 132 | + |
| 133 | + [Fact] |
| 134 | + public void MongoClientSettingsAuthConfiguration_with_auto_fetching_env_variables() |
| 135 | + { |
| 136 | + // the test uses env variables fetched inside the driver behind the scene. |
| 137 | + // Auto fetching can happen not only from env variables, but adding only a check for them as a simplest guard |
| 138 | + RequireEnvironment |
| 139 | + .Check() |
| 140 | + .EnvironmentVariable("AWS_ACCESS_KEY_ID") |
| 141 | + .EnvironmentVariable("AWS_SECRET_ACCESS_KEY") |
| 142 | + .EnvironmentVariable("AWS_SESSION_TOKEN"); // optional |
| 143 | + |
| 144 | + // Start aws authentication configuring via MongoClientSettings with implicit credentials fetching |
| 145 | + var awsCredentials = new MongoCredential("MONGODB-AWS", new MongoExternalAwsIdentity(), new ExternalEvidence()); |
| 146 | + |
| 147 | + var mongoClientSettings = MongoClientSettings.FromConnectionString($"mongodb+srv://{__connectionStringHosts}"); |
| 148 | + mongoClientSettings.Credential = awsCredentials; |
| 149 | + mongoClientSettings.ServerApi = new ServerApi(ServerApiVersion.V1, strict: true); |
| 150 | + var client = new MongoClient(mongoClientSettings); |
| 151 | + // End aws authentication configuring via MongoClientSettings with implicit credentials fetching |
| 152 | + |
| 153 | + RunHello(client); |
| 154 | + } |
| 155 | + |
| 156 | + // private methods |
| 157 | + private void RunHello(IMongoClient client) |
| 158 | + { |
| 159 | + client.GetDatabase(DatabaseNamespace.Admin.DatabaseName).RunCommand<BsonDocument>("{ hello : 1 }"); |
| 160 | + } |
| 161 | + } |
| 162 | +} |
0 commit comments