Integrate AWS IAM Role-based Authentication for MongoDB Atlas

bom/pom.xml

@@ -59,6 +59,8 @@
         <!-- Keep these version consistent with pekko-persistence-mongodb.version's build.sbt -->
         <mongo-java-driver.version>5.1.1</mongo-java-driver.version>
 
+        <mongo-driver-sync.version>5.1.2</mongo-driver-sync.version>
+
         <jjwt.version>0.12.5</jjwt.version>
         <asm.version>9.2</asm.version>
         <qpid-jms-client.version>1.11.0</qpid-jms-client.version>
@@ -111,6 +113,7 @@
         <scalatest.version>3.2.17</scalatest.version>
         <docker-java.version>3.3.3</docker-java.version>
         <system-rules.version>1.19.0</system-rules.version>
+        <awssdk.version>2.26.21</awssdk.version>
     </properties>
 
     <dependencyManagement>
@@ -205,7 +208,11 @@
                 <artifactId>mongo-scala-driver_2.13</artifactId>
                 <version>${mongo-java-driver.version}</version>
             </dependency>
-
+            <dependency>
+                <groupId>org.mongodb</groupId>
+                <artifactId>mongodb-driver-sync</artifactId>
+                <version>${mongo-driver-sync.version}</version>
+            </dependency>
 
             <!-- Pekko Management -->
             <dependency>
@@ -803,6 +810,18 @@
                 <version>${classindex.version}</version>
             </dependency>
 
+            <!-- ### aws sdk ### -->
+            <dependency>
+                <groupId>software.amazon.awssdk</groupId>
+                <artifactId>sts</artifactId>
+                <version>${awssdk.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>software.amazon.awssdk</groupId>
+                <artifactId>auth</artifactId>
+                <version>${awssdk.version}</version>
+            </dependency>
+
             <!-- ### Provided - own artifacts ### -->
             <dependency>
                 <groupId>org.eclipse.ditto</groupId>

deployment/helm/ditto/templates/_helpers.tpl

@@ -70,3 +70,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Get IAM Role ARN from Values if USE_IAM_ROLE is true
+*/}}
+{{- define "ditto.iamRoleArn" -}}
+{{- if .Values.serviceAccount.isUseAwsIamRole -}}
+  {{ .Values.serviceAccount.roleArn }}
+{{- else -}}
+  ""
+{{- end -}}
+{{- end -}}

deployment/helm/ditto/templates/connectivity-deployment.yaml

@@ -284,6 +284,14 @@ spec:
             {{- if .Values.connectivity.extraEnv }}
               {{- toYaml .Values.connectivity.extraEnv | nindent 12 }}
             {{- end }}
+            {{ - if .Values.serviceAccount.isUseAwsIamRole }}
+            - name: AWS_ROLE_ARN
+              value: "{{ .Values.serviceAccount.roleArn }}"
+            - name: AWS_WEB_IDENTITY_TOKEN_FILE
+              value: "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
+            {{ - end }}
+            - name: USE_AWS_IAM_ROLE
+              value: "{{ printf "%t" .Values.serviceAccount.isUseAwsIamRole }}"
           ports:
             - name: remoting
               containerPort: {{ .Values.pekko.remoting.port }}

deployment/helm/ditto/templates/policies-deployment.yaml

@@ -268,6 +268,14 @@ spec:
             {{- if .Values.policies.extraEnv }}
               {{- toYaml .Values.policies.extraEnv | nindent 12 }}
             {{- end }}
+            {{ - if .Values.serviceAccount.isUseAwsIamRole }}
+            - name: AWS_ROLE_ARN
+              value: "{{ .Values.serviceAccount.roleArn }}"
+            - name: AWS_WEB_IDENTITY_TOKEN_FILE
+              value: "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
+            {{ - end }}
+            - name: USE_AWS_IAM_ROLE
+              value: "{{ printf "%t" .Values.serviceAccount.isUseAwsIamRole }}"
           ports:
             - name: http
               containerPort: 8080

deployment/helm/ditto/templates/serviceaccount.yaml

@@ -16,5 +16,9 @@ metadata:
   name: {{ template "ditto.serviceAccountName" . }}
   labels:
     app.kubernetes.io/name: {{ include "ditto.name" . }}
+  annotations:
+    { { - if .Values.serviceAccount.isUseAwsIamRole } }
+    eks.amazonaws.com/role-arn: { { .Values.serviceAccount.roleArn } }
+    { { - end } }
 {{ include "ditto.labels" . | indent 4 }}
 {{- end -}}

deployment/helm/ditto/templates/things-deployment.yaml

@@ -275,6 +275,14 @@ spec:
             {{- if .Values.things.extraEnv }}
               {{- toYaml .Values.things.extraEnv | nindent 12 }}
             {{- end }}
+            {{ - if .Values.serviceAccount.isUseAwsIamRole }}
+            - name: AWS_ROLE_ARN
+              value: "{{ .Values.serviceAccount.roleArn }}"
+            - name: AWS_WEB_IDENTITY_TOKEN_FILE
+              value: "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
+            {{ - end }}
+            - name: USE_AWS_IAM_ROLE
+              value: "{{ printf "%t" .Values.serviceAccount.isUseAwsIamRole }}"
           ports:
             - name: remoting
               containerPort: {{ .Values.pekko.remoting.port }}

deployment/helm/ditto/templates/thingssearch-deployment.yaml

@@ -263,7 +263,15 @@ spec:
             {{- if .Values.thingsSearch.extraEnv }}
               {{- toYaml .Values.thingsSearch.extraEnv | nindent 12 }}
             {{- end }}
-          ports:
+            {{ - if .Values.serviceAccount.isUseAwsIamRole }}
+            - name: AWS_ROLE_ARN
+              value: "{{ .Values.serviceAccount.roleArn }}"
+            - name: AWS_WEB_IDENTITY_TOKEN_FILE
+              value: "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
+            {{ - end }}
+            - name: USE_AWS_IAM_ROLE
+              value: "{{ printf "%t" .Values.serviceAccount.isUseAwsIamRole }}"
+        ports:
             - name: remoting
               containerPort: {{ .Values.pekko.remoting.port }}
               protocol: TCP

deployment/helm/ditto/values.yaml

@@ -19,6 +19,8 @@ serviceAccount:
   # name is the name of the service account to use
   #  If not set and create is true, a name is generated using the fullname template
   name:
+  isUseAwsIamRole: false
+  roleArn: ""
 
 rbac:
   # enabled controls whether RBAC resources will be created

internal/utils/persistence/pom.xml

@@ -162,6 +162,18 @@
             <groupId>org.apache.pekko</groupId>
             <artifactId>pekko-persistence-query_${scala.version}</artifactId>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>sts</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>auth</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.mongodb</groupId>
+            <artifactId>mongodb-driver-sync</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

internal/utils/persistence/src/main/java/org/eclipse/ditto/internal/utils/persistence/mongo/MongoClientWrapper.java

@@ -25,18 +25,12 @@
 import javax.annotation.concurrent.NotThreadSafe;
 import javax.net.ssl.SSLContext;
 
+import com.mongodb.*;
 import org.bson.Document;
 import org.bson.conversions.Bson;
 import org.eclipse.ditto.internal.utils.persistence.mongo.config.MongoDbConfig;
 import org.reactivestreams.Publisher;
 
-import com.mongodb.ClientSessionOptions;
-import com.mongodb.ConnectionString;
-import com.mongodb.MongoClientSettings;
-import com.mongodb.ReadConcern;
-import com.mongodb.ReadPreference;
-import com.mongodb.ServerAddress;
-import com.mongodb.WriteConcern;
 import com.mongodb.connection.ClusterDescription;
 import com.mongodb.connection.ServerDescription;
 import com.mongodb.connection.TransportSettings;
@@ -53,6 +47,9 @@
 
 import io.netty.channel.EventLoopGroup;
 import io.netty.channel.nio.NioEventLoopGroup;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
 
 /**
  * Default implementation of DittoMongoClient.
@@ -259,6 +256,7 @@ static final class MongoClientWrapperBuilder implements DittoMongoClientBuilder,
         @Nullable private ConnectionString connectionString;
         private String defaultDatabaseName;
         private boolean sslEnabled;
+        private boolean isUseAwsIamRole;
         @Nullable private EventLoopGroup eventLoopGroup;
 
         private MongoClientWrapperBuilder() {
@@ -307,6 +305,7 @@ static GeneralPropertiesStep newInstance(final MongoDbConfig mongoDbConfig) {
 
             final MongoDbConfig.OptionsConfig optionsConfig = mongoDbConfig.getOptionsConfig();
             builder.enableSsl(optionsConfig.isSslEnabled());
+            builder.useAwsIamRole(optionsConfig.isUseAwsIamRole());
             builder.setReadPreference(optionsConfig.readPreference().getMongoReadPreference());
             builder.setReadConcern(optionsConfig.readConcern().getMongoReadConcern());
             builder.setWriteConcern(optionsConfig.writeConcern());
@@ -315,6 +314,11 @@ static GeneralPropertiesStep newInstance(final MongoDbConfig mongoDbConfig) {
             return builder;
         }
 
+        public MongoClientWrapperBuilder useAwsIamRole(boolean useAwsIamRole) {
+            this.isUseAwsIamRole = useAwsIamRole;
+            return this;
+        }
+
         @Override
         public GeneralPropertiesStep connectionString(final String string) {
             connectionString = new ConnectionString(checkNotNull(string, "connection string"));
@@ -440,6 +444,10 @@ public GeneralPropertiesStep setRetryWrites(final boolean retryWrites) {
         public MongoClientWrapper build() {
             buildAndApplySslSettings();
 
+            if (isUseAwsIamRole) {
+                applyAwsIamRoleSettings();
+            }
+
             return new MongoClientWrapper(mongoClientSettingsBuilder.build(), defaultDatabaseName,
                     dittoMongoClientSettingsBuilder.build(), eventLoopGroup);
         }
@@ -476,6 +484,18 @@ private static SSLContext createAndInitSslContext() throws NoSuchAlgorithmExcept
             return result;
         }
 
-    }
+        private void applyAwsIamRoleSettings() {
+            AwsCredentialsProvider credentialsProvider = getAwsCredentialsProvider();
+            AwsCredentials credentials = credentialsProvider.resolveCredentials();
+            MongoCredential credential = MongoCredential.createAwsCredential(
+                    credentials.accessKeyId(),
+                    credentials.secretAccessKey().toCharArray()
+            );
+            mongoClientSettingsBuilder.credential(credential);
+        }
 
+        private static AwsCredentialsProvider getAwsCredentialsProvider() {
+            return DefaultCredentialsProvider.create();
+        }
+    }
 }

internal/utils/persistence/src/main/java/org/eclipse/ditto/internal/utils/persistence/mongo/config/DefaultOptionsConfig.java

@@ -39,6 +39,7 @@ public final class DefaultOptionsConfig implements MongoDbConfig.OptionsConfig {
      */
     static final String CONFIG_PATH = "options";
 
+    private final boolean useAwsIamRole;
     private final boolean sslEnabled;
     private final ReadPreference readPreference;
     private final ReadConcern readConcern;
@@ -47,6 +48,7 @@ public final class DefaultOptionsConfig implements MongoDbConfig.OptionsConfig {
     private final Map<String, Object> extraUriOptions;
 
     private DefaultOptionsConfig(final ScopedConfig config) {
+        useAwsIamRole = config.getBoolean(OptionsConfigValue.USE_AWS_IAM_ROLE.getConfigPath());
         sslEnabled = config.getBoolean(OptionsConfigValue.SSL_ENABLED.getConfigPath());
         final var readPreferenceString = config.getString(OptionsConfigValue.READ_PREFERENCE.getConfigPath());
         readPreference = ReadPreference.ofReadPreference(readPreferenceString)
@@ -118,6 +120,11 @@ public boolean isRetryWrites() {
         return retryWrites;
     }
 
+    @Override
+    public boolean isUseAwsIamRole() {
+        return useAwsIamRole;
+    }
+
     @Override
     public Map<String, Object> extraUriOptions() {
         return extraUriOptions;

internal/utils/persistence/src/main/java/org/eclipse/ditto/internal/utils/persistence/mongo/config/MongoDbConfig.java

@@ -165,6 +165,13 @@ interface OptionsConfig {
          */
         boolean isRetryWrites();
 
+        /**
+         * Indicates whether to use AWS IAM role for authentication.
+         *
+         * @return {@code true} if IAM role should be used, {@code false} otherwise.
+         */
+        boolean isUseAwsIamRole();
+
         /**
          * Gets the extra options to add to the configured MongoDB {@code uri}.
          *
@@ -203,6 +210,11 @@ enum OptionsConfigValue implements KnownConfigValue {
              */
             RETRY_WRITES("retryWrites", true),
 
+            /**
+             * Determines whether IAM role should be used for authentication.
+             */
+            USE_AWS_IAM_ROLE("useAwsIamRole", false),
+
             /**
              * The extra options to add to the configured MongoDB {@code uri}.
              */