-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CSHARP-4463: Add aws auth connectivity examples. (#1004)
- Loading branch information
1 parent
985e39d
commit 70ed174
Showing
2 changed files
with
162 additions
and
0 deletions.
There are no files selected for viewing
162 changes: 162 additions & 0 deletions
162
tests/MongoDB.Driver.Examples/Aws/AwsAuthenticationExamples.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,162 @@ | ||
/* Copyright 2010-present MongoDB Inc. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
using System; | ||
using MongoDB.Bson; | ||
using MongoDB.TestHelpers.XunitExtensions; | ||
using Xunit; | ||
|
||
namespace MongoDB.Driver.Examples.Aws | ||
{ | ||
/// <summary> | ||
/// Atlas preconditions for local run: | ||
/// 1. Configure AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN. If used, AWS_SESSION_TOKEN should be regenerated periodically. | ||
/// You may use `Command line or programmatic access` page on awsapps.com | ||
/// 2. Configure credentials folder here: c:\Users\{user}\.aws\ | ||
/// 3. Get your arn via `get-caller-identity`: | ||
/// ./aws sts get-caller-identity | ||
///{ | ||
/// "UserId": "%ID%:[[email protected]]", | ||
/// "Account": "%ID_VALUE%", | ||
/// "Arn": "arn:aws:sts::%ID_VALUE%:assumed-role/%ROLE_NAME%/[[email protected]]" | ||
/// } | ||
/// pay attention on %ROLE_NAME%. | ||
/// 4. list all roles via:. | ||
/// $ ./aws iam list-roles | ||
/// { | ||
/// "Roles": [ | ||
/// { | ||
/// "Path": "..", | ||
/// "RoleName": "%ROLE_NAME%", | ||
/// "Arn": "arn:aws...: | ||
/// ... | ||
/// in the provided roles, search for a record with a RoleName equal to %ROLE_NAME% and record his arn. | ||
/// 5. In your atlas cluster, create a new user with AWS authentication and set AWS IAM Role ARN from #4. | ||
/// 6. Then configure a MongoClient in the same way as it's done in these examples with MONGODB-AWS auth credentials. | ||
/// | ||
/// Additional notes: | ||
/// 1. To work with authentications that are not based on env vars credentials configuration, make sure that AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN are not set | ||
/// 2. To work with aws profile make sure that env variable AWS_PROFILE has appropriate value if the used aws profile is not default | ||
/// 3. To work with ECS container credentials make sure that AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI has appropriate value | ||
/// 4. To work with EC2 container credentials from EC2 instance metadata make sure a test is launched on EC2 env and AWS_CONTAINER_CREDENTIALS_* is not set | ||
/// 5. To work with Aws WebIdentityToken make sure that AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN and AWS_ROLE_SESSION_NAME are configured | ||
/// </summary> | ||
public class AwsAuthenticationExamples | ||
{ | ||
private static readonly string __connectionStringHosts = "<host_address>"; | ||
|
||
[Fact] | ||
public void ConnectionStringAuthConfiguration() | ||
{ | ||
// the test uses env variables only to initialize userName, password and awsSessionToken | ||
RequireEnvironment | ||
.Check() | ||
.EnvironmentVariable("AWS_ACCESS_KEY_ID") | ||
.EnvironmentVariable("AWS_SECRET_ACCESS_KEY") | ||
.EnvironmentVariable("AWS_SESSION_TOKEN"); | ||
|
||
// Start explicit aws credentials configuring via connection string | ||
var username = Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"); | ||
var password = Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY"); | ||
var awsSessionToken = Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN"); | ||
|
||
// AWS_SESSION_TOKEN is optional. If you do not need to specify an AWS session token, omit the authMechanismProperties parameter and his value. | ||
var connectionString = $"mongodb+srv://{username}:{password}@{__connectionStringHosts}?authSource=$external&authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:{awsSessionToken}"; | ||
var mongoClientSettings = MongoClientSettings.FromConnectionString(connectionString); | ||
var client = new MongoClient(mongoClientSettings); | ||
// End explicit aws credentials configuring via connection string | ||
|
||
RunHello(client); | ||
} | ||
|
||
[Fact] | ||
public void ConnectionStringAuthConfiguration_with_auto_fetching_env_variables() | ||
{ | ||
// the test uses env variables fetched inside the driver behind the scene. | ||
// Auto fetching can happen not only from env variables, but adding only a check for them as a simplest guard | ||
RequireEnvironment | ||
.Check() | ||
.EnvironmentVariable("AWS_ACCESS_KEY_ID") | ||
.EnvironmentVariable("AWS_SECRET_ACCESS_KEY") | ||
.EnvironmentVariable("AWS_SESSION_TOKEN"); // optional | ||
|
||
// Start aws authentication configuring via connection string with implicit credentials fetching | ||
var connectionString = $"mongodb+srv://{__connectionStringHosts}?authSource=$external&authMechanism=MONGODB-AWS"; | ||
var mongoClientSettings = MongoClientSettings.FromConnectionString(connectionString); | ||
var client = new MongoClient(mongoClientSettings); | ||
// End aws authentication configuring via connection string with implicit credentials fetching | ||
|
||
RunHello(client); | ||
} | ||
|
||
|
||
[Fact] | ||
public void MongoClientSettingsAuthConfiguration() | ||
{ | ||
// the test uses env variable only to initialize userName, password and awsSessionToken | ||
RequireEnvironment | ||
.Check() | ||
.EnvironmentVariable("AWS_ACCESS_KEY_ID") | ||
.EnvironmentVariable("AWS_SECRET_ACCESS_KEY") | ||
.EnvironmentVariable("AWS_SESSION_TOKEN"); | ||
|
||
// Start explicit aws credentials configuring via MongoCredential | ||
var username = Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"); | ||
var password = Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY"); | ||
var awsSessionToken = Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN"); | ||
|
||
// AWS_SESSION_TOKEN is optional. If you do not need to specify an AWS session token, omit calling WithMechanismProperty method. | ||
var awsCredentials = new MongoCredential("MONGODB-AWS", new MongoExternalIdentity(username), new PasswordEvidence(password)) | ||
.WithMechanismProperty("AWS_SESSION_TOKEN", awsSessionToken); | ||
|
||
var mongoClientSettings = MongoClientSettings.FromConnectionString($"mongodb+srv://{username}:{password}@{__connectionStringHosts}"); | ||
mongoClientSettings.Credential = awsCredentials; | ||
mongoClientSettings.ServerApi = new ServerApi(ServerApiVersion.V1, strict: true); | ||
var client = new MongoClient(mongoClientSettings); | ||
// End explicit aws credentials configuring via MongoCredential | ||
|
||
RunHello(client); | ||
} | ||
|
||
[Fact] | ||
public void MongoClientSettingsAuthConfiguration_with_auto_fetching_env_variables() | ||
{ | ||
// the test uses env variables fetched inside the driver behind the scene. | ||
// Auto fetching can happen not only from env variables, but adding only a check for them as a simplest guard | ||
RequireEnvironment | ||
.Check() | ||
.EnvironmentVariable("AWS_ACCESS_KEY_ID") | ||
.EnvironmentVariable("AWS_SECRET_ACCESS_KEY") | ||
.EnvironmentVariable("AWS_SESSION_TOKEN"); // optional | ||
|
||
// Start aws authentication configuring via MongoClientSettings with implicit credentials fetching | ||
var awsCredentials = new MongoCredential("MONGODB-AWS", new MongoExternalAwsIdentity(), new ExternalEvidence()); | ||
|
||
var mongoClientSettings = MongoClientSettings.FromConnectionString($"mongodb+srv://{__connectionStringHosts}"); | ||
mongoClientSettings.Credential = awsCredentials; | ||
mongoClientSettings.ServerApi = new ServerApi(ServerApiVersion.V1, strict: true); | ||
var client = new MongoClient(mongoClientSettings); | ||
// End aws authentication configuring via MongoClientSettings with implicit credentials fetching | ||
|
||
RunHello(client); | ||
} | ||
|
||
// private methods | ||
private void RunHello(IMongoClient client) | ||
{ | ||
client.GetDatabase(DatabaseNamespace.Admin.DatabaseName).RunCommand<BsonDocument>("{ hello : 1 }"); | ||
} | ||
} | ||
} |
File renamed without changes.