Add integration test for AWS web identity credential fetching (#1063)

jyemin · web-flow · commit b6991e5e1392 · 2022-12-13T10:06:21.000-05:00
JAVA-4234
diff --git a/.evergreen/.evg.yml b/.evergreen/.evg.yml
@@ -344,7 +344,13 @@ functions:
 
               "iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}",
               "iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}",
-              "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}"
+              "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}",
+
+              "iam_auth_assume_web_role_name": "${iam_auth_assume_web_role_name}",
+              "iam_web_identity_issuer": "${iam_web_identity_issuer}",
+              "iam_web_identity_rsa_key": "${iam_web_identity_rsa_key}",
+              "iam_web_identity_jwks_uri": "${iam_web_identity_jwks_uri}",
+              "iam_web_identity_token_file": "${iam_web_identity_token_file}"
           }
           EOF
 
@@ -429,6 +435,67 @@ functions:
           echo "" > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
           JAVA_VERSION=${JAVA_VERSION} AWS_CREDENTIAL_PROVIDER=${AWS_CREDENTIAL_PROVIDER} .evergreen/run-mongodb-aws-test.sh
 
+  "run aws auth test with web identity credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: "bash"
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+          . ./activate-authawsvenv.sh
+          mongo aws_e2e_web_identity.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: "bash"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            export AWS_ROLE_ARN="${iam_auth_assume_web_role_name}"
+            export AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}"
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: "bash"
+        script: |
+          ${PREPARE_SHELL}
+          if [ "${AWS_CREDENTIAL_PROVIDER}" = "builtIn" ]; then
+             echo "Built-in AWS credential provider does not support the web identity auth test, skipping..."
+             exit 0
+          fi
+          JAVA_VERSION=${JAVA_VERSION} AWS_CREDENTIAL_PROVIDER=${AWS_CREDENTIAL_PROVIDER} ASSERT_NO_URI_CREDS=true .evergreen/run-mongodb-aws-test.sh
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: "bash"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            export AWS_ROLE_ARN="${iam_auth_assume_web_role_name}"
+            export AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}"
+            export AWS_ROLE_SESSION_NAME="test"
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: "bash"
+        script: |
+          ${PREPARE_SHELL}
+          if [ "${AWS_CREDENTIAL_PROVIDER}" = "builtIn" ]; then
+             echo "Built-in AWS credential provider does not support the web identity auth test, skipping..."
+             exit 0
+          fi
+          JAVA_VERSION=${JAVA_VERSION} AWS_CREDENTIAL_PROVIDER=${AWS_CREDENTIAL_PROVIDER} ASSERT_NO_URI_CREDS=true .evergreen/run-mongodb-aws-test.sh
+
   "run aws auth test with aws credentials as environment variables":
     - command: shell.exec
       type: test
@@ -884,6 +951,16 @@ tasks:
         - func: "add aws auth variables to file"
         - func: "run aws auth test with aws EC2 credentials"
 
+    - name: "aws-auth-test-with-web-identity-credentials"
+      commands:
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            AUTH: "auth"
+            ORCHESTRATION_FILE: "auth-aws.json"
+            TOPOLOGY: "server"
+        - func: "add aws auth variables to file"
+        - func: "run aws auth test with web identity credentials"
+
     - name: "aws-ECS-auth-test"
       commands:
         - func: "bootstrap mongo-orchestration"
@@ -1893,6 +1970,7 @@ buildvariants:
     - name: "aws-auth-test-with-aws-credentials-as-environment-variables"
     - name: "aws-auth-test-with-aws-credentials-and-session-token-as-environment-variables"
     - name: "aws-auth-test-with-aws-EC2-credentials"
+    - name: "aws-auth-test-with-web-identity-credentials"
 
 - matrix_name: "aws-ecs-auth-test"
   matrix_spec: { ssl: "nossl", jdk: ["jdk8", "jdk17"], version: ["4.4", "5.0", "6.0", "latest"], os: "ubuntu" }
diff --git a/driver-core/build.gradle b/driver-core/build.gradle
@@ -51,7 +51,9 @@ dependencies {
     // Optionally depend on both AWS SDK v2 and v1.  The driver will use v2 is present, v1 if present, or built-in functionality if
     // neither are present
     implementation "software.amazon.awssdk:auth:$awsSdkV2Version", optional
+    implementation "software.amazon.awssdk:sts:$awsSdkV2Version", optional
     implementation "com.amazonaws:aws-java-sdk-core:$awsSdkV1Version", optional
+    implementation "com.amazonaws:aws-java-sdk-sts:$awsSdkV1Version", optional
 
     implementation "org.xerial.snappy:snappy-java:$snappyVersion", optional
     implementation "com.github.luben:zstd-jni:$zstdVersion", optional
