Skip to content

Commit daa8899

Browse files
DmitryLukyanovDmitryLukyanov
authored
CSHARP-3740: Add native support for AWS IAM Roles for service accounts, EKS in particular. (#947)
1 parent 83e29d9 commit daa8899

File tree

9 files changed

+224
-422
lines changed

9 files changed

+224
-422
lines changed

evergreen/evergreen.yml

Lines changed: 80 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -432,7 +432,12 @@ functions:
432432
"iam_auth_assume_role_name" : "${iam_auth_assume_role_name}",
433433
"iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}",
434434
"iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}",
435-
"iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}"
435+
"iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}",
436+
"iam_auth_assume_web_role_name": "${iam_auth_assume_web_role_name}",
437+
"iam_web_identity_issuer": "${iam_web_identity_issuer}",
438+
"iam_web_identity_rsa_key": "${iam_web_identity_rsa_key}",
439+
"iam_web_identity_jwks_uri": "${iam_web_identity_jwks_uri}",
440+
"iam_web_identity_token_file": "${iam_web_identity_token_file}"
436441
}
437442
EOF
438443
@@ -551,6 +556,76 @@ functions:
551556
mongo --nodb setup.js aws_e2e_ecs.js
552557
cd -
553558
559+
run-aws-auth-test-with-aws-web-identity-credentials:
560+
- command: shell.exec
561+
type: test
562+
params:
563+
working_dir: mongo-csharp-driver
564+
script: |
565+
${PREPARE_SHELL}
566+
if [ "${skip_web_identity_auth_test}" = "true" ]; then
567+
echo "This platform does not support the web identity auth test, skipping..."
568+
exit 0
569+
fi
570+
cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
571+
. ./activate_venv.sh
572+
mongo aws_e2e_web_identity.js
573+
- command: shell.exec
574+
type: test
575+
params:
576+
working_dir: mongo-csharp-driver
577+
silent: true
578+
script: |
579+
if [ "${skip_web_identity_auth_test}" = "true" ]; then
580+
echo "This platform does not support the web identity auth test, skipping..."
581+
exit 0
582+
fi
583+
# DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
584+
cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
585+
export AWS_ROLE_ARN="${iam_auth_assume_web_role_name}"
586+
export AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}"
587+
export MONGODB_URI="mongodb://localhost"
588+
EOF
589+
- command: shell.exec
590+
type: test
591+
params:
592+
working_dir: mongo-csharp-driver
593+
script: |
594+
${PREPARE_SHELL}
595+
if [ "${skip_web_identity_auth_test}" = "true" ]; then
596+
echo "This platform does not support the web identity auth test, skipping..."
597+
exit 0
598+
fi
599+
PROJECT_DIRECTORY=${PROJECT_DIRECTORY} OS=$OS ASSERT_NO_URI_CREDS=true evergreen/run-mongodb-aws-test.sh
600+
- command: shell.exec
601+
type: test
602+
params:
603+
working_dir: mongo-csharp-driver
604+
silent: true
605+
script: |
606+
if [ "${skip_EC2_auth_test}" = "true" ]; then
607+
echo "This platform does not support the web identity auth test, skipping..."
608+
exit 0
609+
fi
610+
# DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
611+
cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
612+
export AWS_ROLE_ARN="${iam_auth_assume_web_role_name}"
613+
export AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}"
614+
export AWS_ROLE_SESSION_NAME="test"
615+
export MONGODB_URI="mongodb://localhost"
616+
EOF
617+
- command: shell.exec
618+
type: test
619+
params:
620+
working_dir: mongo-csharp-driver
621+
script: |
622+
${PREPARE_SHELL}
623+
if [ "${skip_web_identity_auth_test}" = "true" ]; then
624+
echo "This platform does not support the web identity auth test, skipping..."
625+
exit 0
626+
fi
627+
PROJECT_DIRECTORY=${PROJECT_DIRECTORY} OS=$OS ASSERT_NO_URI_CREDS=true evergreen/run-mongodb-aws-test.sh
628+
554629
run-aws-auth-test-with-aws-credentials-as-environment-variables:
555630
- command: shell.exec
556631
type: test
@@ -1067,6 +1142,7 @@ tasks:
10671142
- func: run-aws-auth-test-with-aws-credentials-and-session-token-as-environment-variables
10681143
- func: run-aws-auth-test-with-aws-EC2-credentials
10691144
- func: run-aws-auth-test-with-aws-ECS-credentials
1145+
- func: run-aws-auth-test-with-aws-web-identity-credentials
10701146

10711147
- name: stable-api-tests-net472
10721148
commands:
@@ -1599,6 +1675,7 @@ axes:
15991675
variables:
16001676
OS: "windows-64"
16011677
skip_ECS_auth_test: true
1678+
skip_web_identity_auth_test: true
16021679
run_on: windows-64-vs2017-test
16031680
- id: "ubuntu-1804"
16041681
display_name: "Ubuntu 18.04"
@@ -1611,13 +1688,15 @@ axes:
16111688
OS: "macos-1100"
16121689
skip_EC2_auth_test: true
16131690
skip_ECS_auth_test: true
1691+
skip_web_identity_auth_test: true
16141692
run_on: macos-1100
16151693
- id: "macos-1100-arm64"
16161694
display_name: "macOS 11.00 M1"
16171695
variables:
16181696
OS: "macos-1100-arm64"
16191697
skip_EC2_auth_test: true
16201698
skip_ECS_auth_test: true
1699+
skip_web_identity_auth_test: true
16211700
run_on: macos-1100-arm64
16221701

16231702
- id: topology

evergreen/run-mongodb-aws-ecs-test.sh

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ set -o errexit # Exit the script with error if any of the commands fail
88
# ASSERT_NO_URI_CREDS Determines whether we need assert existence credentials in connection string or not
99
#
1010
# Environment variables used as output:
11-
# AWS_TESTS_ENABLED Allows runnings AWS tests
12-
# AWS_ECS_TEST Allows runnings EVS tests
11+
# AWS_TESTS_ENABLED Allows running AWS tests
12+
# AWS_ECS_ENABLED Allows running ECS tests
1313
#
1414
############################################
1515
# Main Program #
@@ -28,7 +28,7 @@ fi
2828
# Now we can safely enable xtrace
2929
set -o xtrace
3030
export AWS_TESTS_ENABLED=true
31-
export AWS_ECS_TEST=true
31+
export AWS_ECS_ENABLED=true
3232

3333
# EG scripts for ECS assume that a root folder is "src" and all driver side scripts are placed in ".evergreen" folder.
3434
# So that script is copied into "src/.evergreen" before running

0 commit comments

Comments
 (0)