Skip to content

Add EKSProvider for AWS credentials using Pod Identity agent and integrate into AWSCredentialProvider chain #2146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add EKSProvider for AWS credentials using Pod Identity agent and integrate into AWSCredentialProvider chain #2146

wants to merge 1 commit into from

Conversation

vipulsharma2190
Copy link

@vipulsharma2190 vipulsharma2190 commented Jul 28, 2025
edited
Loading

Summary

This pull request introduces a new EKSProvider to the AWS credential provider chain in the MongoDB Go driver. The EKSProvider enables the driver to retrieve AWS credentials from the endpoint specified by the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable.

Background & Motivation

AWS recently introduced the Pod Identity agent for EKS, which provides IAM credentials to pods via a local HTTP endpoint. The agent sets the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable in the pod, typically pointing to a URL like http://169.254.170.23/v1/credentials.

The implementation of EKSProvider is essentially similar to the existing ECSProvider, with the main difference being the use of a different environment variable and endpoint for credential retrieval. This change ensures the driver can authenticate seamlessly in EKS environments using Pod Identity.

AWS SDK: Container Credentials
Pod Identity Agent

@vipulsharma2190 vipulsharma2190 requested a review from a team as a code owner July 28, 2025 11:20
@prestonvasquez
Copy link
Member

prestonvasquez commented Jul 28, 2025
edited
Loading

DRIVERS-2945 (Support for AWS EKS Pod Identity) is currently blocked, noting:

Drivers that optionally support an AWS SDK will not be expected to implement support in the non-SDK version of the logic

Go Driver plans to optionally support aws-sdk-go-v2 with GODRIVER-3567.

CC: @matthewdale

@alcaeus alcaeus requested review from prestonvasquez and removed request for matthewdale July 28, 2025 18:23
@prestonvasquez
Copy link
Member

@fdgod09 See this comment for closure reason: #2146 (comment)

As a stopgap, users can register their own authenticator using auth.RegisterAuthenticatorFactory:

V1: https://gist.github.com/prestonvasquez/4c339bf9e26217c65172b9849a43d505
V2: https://gist.github.com/prestonvasquez/d36d3c6bf57a574b5451ee53277236f1

@vipulsharma2190 vipulsharma2190 deleted the feature/add-eks-aws-credential-provider branch July 29, 2025 02:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prestonvasquez prestonvasquez Awaiting requested review from prestonvasquez

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vipulsharma2190 @prestonvasquez