From 39cfd11e121194c89c85526f882164786a793852 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sat, 15 Feb 2025 09:53:17 -0600 Subject: [PATCH 01/48] Clean up AWS and add output file --- .evergreen/auth_aws/aws_setup.sh | 101 +++--------------------------- .evergreen/auth_aws/aws_tester.py | 63 +++++++++++++++---- .gitignore | 1 + 3 files changed, 60 insertions(+), 105 deletions(-) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index fd091bd1e..306ea06b1 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -6,108 +6,21 @@ # . ./aws_setup.sh # # Handles AWS credential setup and exports relevant environment variables. -# Assumes you have already set up secrets. +# Sets up secrets if they have not already been set up. set -eu SCRIPT_DIR=$(dirname ${BASH_SOURCE[0]}) . $SCRIPT_DIR/../handle-paths.sh pushd $SCRIPT_DIR -# Ensure that secrets have already been set up. -if [ ! -f "secrets-export.sh" ]; then - echo "ERROR: please run './setup-secrets.sh' in this folder" -fi - # Activate the venv and source the secrets file. . ./activate-authawsvenv.sh -source secrets-export.sh - -if [ "$1" == "web-identity" ]; then - export AWS_WEB_IDENTITY_TOKEN_FILE="./token_file.txt" -fi - -# Handle the test setup if not using env variables. -case $1 in - session-creds) - echo "Running aws_tester.py with assume-role" - # Set up credentials with assume-role to create user in MongoDB and write AWS credentials. - python aws_tester.py "assume-role" - ;; - env-creds) - echo "Running aws_tester.py with regular" - # Set up credentials with regular to create user in MongoDB and write AWS credentials. - python aws_tester.py "regular" - ;; - *) - python aws_tester.py "$1" - ;; -esac - -# If this is ecs, exit now. -if [ "$1" == "ecs" ]; then - exit 0 -fi - -# Convenience functions. -urlencode () { - python -c "import sys, urllib.parse as ulp; sys.stdout.write(ulp.quote_plus(sys.argv[1]))" "$1" -} - -jsonkey () { - python -c "import json,sys;sys.stdout.write(json.load(sys.stdin)[sys.argv[1]])" "$1" < ./creds.json -} -# Handle extra vars based on auth type. -USER="" -case $1 in - assume-role) - USER=$(jsonkey AccessKeyId) - USER=$(urlencode "$USER") - PASS=$(jsonkey SecretAccessKey) - PASS=$(urlencode "$PASS") - SESSION_TOKEN=$(jsonkey SessionToken) - SESSION_TOKEN=$(urlencode "$SESSION_TOKEN") - ;; - - session-creds) - AWS_ACCESS_KEY_ID=$(jsonkey AccessKeyId) - AWS_SECRET_ACCESS_KEY=$(jsonkey SecretAccessKey) - AWS_SESSION_TOKEN=$(jsonkey SessionToken) - - export AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY - export AWS_SESSION_TOKEN - ;; - - web-identity) - export AWS_ROLE_ARN=$IAM_AUTH_ASSUME_WEB_ROLE_NAME - export AWS_WEB_IDENTITY_TOKEN_FILE="$SCRIPT_DIR/$AWS_WEB_IDENTITY_TOKEN_FILE" - ;; - - regular) - USER=$(urlencode "${IAM_AUTH_ECS_ACCOUNT}") - PASS=$(urlencode "${IAM_AUTH_ECS_SECRET_ACCESS_KEY}") - ;; - - env-creds) - export AWS_ACCESS_KEY_ID=$IAM_AUTH_ECS_ACCOUNT - export AWS_SECRET_ACCESS_KEY=$IAM_AUTH_ECS_SECRET_ACCESS_KEY - ;; -esac - -# Handle the URI. -if [ -n "$USER" ]; then - MONGODB_URI="mongodb://$USER:$PASS@localhost" - export USER - export PASS -else - MONGODB_URI="mongodb://localhost" -fi -MONGODB_URI="${MONGODB_URI}/aws?authMechanism=MONGODB-AWS" -if [[ -n ${SESSION_TOKEN:-} ]]; then - MONGODB_URI="${MONGODB_URI}&authMechanismProperties=AWS_SESSION_TOKEN:${SESSION_TOKEN}" +# Ensure that secrets have already been set up. +if [ ! -f "./secrets-export.sh" ]; then + bash ./setup-secrets.sh fi +source .secrets-export.sh -export MONGODB_URI="$MONGODB_URI" - -popd +python aws_tester.py "$1" +source $SCRIPT_DIR/test-env.sh diff --git a/.evergreen/auth_aws/aws_tester.py b/.evergreen/auth_aws/aws_tester.py index 62e6b7dbe..9d7b95130 100755 --- a/.evergreen/auth_aws/aws_tester.py +++ b/.evergreen/auth_aws/aws_tester.py @@ -5,23 +5,27 @@ import argparse import json +import logging import os import subprocess import sys from functools import partial +from pathlib import Path from urllib.parse import quote_plus from pymongo import MongoClient from pymongo.errors import OperationFailure -HERE = os.path.abspath(os.path.dirname(__file__)) +HERE = Path(__file__).absolute().parent +LOGGER = logging.getLogger(__name__) +logging.basicConfig(level=logging.INFO, format="%(levelname)-8s %(message)s") def join(*parts): return os.path.join(*parts).replace(os.sep, "/") -sys.path.insert(0, join(HERE, "lib")) +sys.path.insert(0, HERE / "lib") from aws_assign_instance_profile import _assign_instance_policy from aws_assume_role import _assume_role from aws_assume_web_role import _assume_role_with_web_identity @@ -35,7 +39,7 @@ def join(*parts): _USE_AWS_SECRETS = False try: - with open(join(HERE, "aws_e2e_setup.json")) as fid: + with (HERE / "aws_e2e_setup.json").open() as fid: CONFIG = json.load(fid) get_key = partial(_get_key, uppercase=False) except FileNotFoundError: @@ -51,7 +55,7 @@ def run(args, env): def create_user(user, kwargs): """Create a user and verify access.""" - print("Creating user", user) + LOGGER.info("Creating user %s", user) client = MongoClient(username="bob", password="pwd123") db = client["$external"] try: @@ -76,7 +80,7 @@ def setup_assume_role(): role_name = CONFIG[get_key("iam_auth_assume_role_name")] creds = _assume_role(role_name, quiet=True) - with open(join(HERE, "creds.json"), "w") as fid: + with (HERE / "creds.json").open("w") as fid: json.dump(creds, fid) # Create the user. @@ -87,6 +91,7 @@ def setup_assume_role(): authmechanismproperties=f"AWS_SESSION_TOKEN:{token}", ) create_user(ASSUMED_ROLE, kwargs) + return dict(USER=kwargs["username"], PASS=kwargs["password"], SESSION_TOKEN=token) def setup_ec2(): @@ -95,6 +100,7 @@ def setup_ec2(): os.environ.pop("AWS_ACCESS_KEY_ID", None) os.environ.pop("AWS_SECRET_ACCESS_KEY", None) create_user(AWS_ACCOUNT_ARN, dict()) + return dict() def setup_ecs(): @@ -138,6 +144,8 @@ def setup_ecs(): # Run the test in a container subprocess.check_call(["/bin/sh", "-c", run_test_command], env=env) + return dict() + def setup_regular(): # Create the user. @@ -147,6 +155,8 @@ def setup_regular(): ) create_user(CONFIG[get_key("iam_auth_ecs_account_arn")], kwargs) + return dict(USER=kwargs["username"], PASS=kwargs["password"]) + def setup_web_identity(): # Unassign the instance profile. @@ -161,7 +171,7 @@ def setup_web_identity(): raise RuntimeError("Request limit exceeded for AWS API") if ret != 0: - print("ret was", ret) + LOGGER.debug("return code was %s", ret) raise RuntimeError( "Failed to unassign an instance profile from the current machine" ) @@ -186,10 +196,11 @@ def setup_web_identity(): # Assume the web role to get temp credentials. os.environ["AWS_WEB_IDENTITY_TOKEN_FILE"] = token_file - os.environ["AWS_ROLE_ARN"] = CONFIG[get_key("iam_auth_assume_web_role_name")] + role_arn = CONFIG[get_key("iam_auth_assume_web_role_name")] + os.environ["AWS_ROLE_ARN"] = role_arn creds = _assume_role_with_web_identity(True) - with open(join(HERE, "creds.json"), "w") as fid: + with (HERE / "creds.json").open("w") as fid: json.dump(creds, fid) # Create the user. @@ -201,12 +212,36 @@ def setup_web_identity(): ) create_user(ASSUMED_WEB_ROLE, kwargs) + return dict(AWS_WEB_IDENTITY_TOKEN_FILE=token_file, AWS_ROLE_ARN=role_arn) + + +def handle_creds(creds: dict): + if "USER" in creds: + USER = creds.pop("USER") + PASS = creds.pop("PASS") + MONGODB_URI = f"mongodb://{USER}:{PASS}localhost" + else: + MONGODB_URI = "mongodb://localhost" + MONGODB_URI = f"{MONGODB_URI}/aws?authMechanism=MONGODB-AWS" + if "SESSION_TOKEN" in creds: + SESSION_TOKEN = creds.pop("SESSION_TOKEN") + MONGODB_URI = ( + f"{MONGODB_URI}&authMechanismProperties=AWS_SESSION_TOKEN:{SESSION_TOKEN}" + ) + with (HERE / "test-env.sh").open("w") as fid: + fid.write("#!/usr/bin/env bash\n\n") + fid.write("set +x\n") + for key, value in creds.items(): + fid.write(f"{key}={value}\n") + def main(): parser = argparse.ArgumentParser(description="MONGODB-AWS tester.") sub = parser.add_subparsers(title="Tester subcommands", help="sub-command help") - run_assume_role_cmd = sub.add_parser("assume-role", help="Assume role test") + run_assume_role_cmd = sub.add_parser( + "assume-role", aliases=["session-creds"], help="Assume role test" + ) run_assume_role_cmd.set_defaults(func=setup_assume_role) run_ec2_cmd = sub.add_parser("ec2", help="EC2 test") @@ -215,14 +250,20 @@ def main(): run_ecs_cmd = sub.add_parser("ecs", help="ECS test") run_ecs_cmd.set_defaults(func=setup_ecs) - run_regular_cmd = sub.add_parser("regular", help="Regular credentials test") + run_regular_cmd = sub.add_parser( + "regular", aliases=["env-creds"], help="Regular credentials test" + ) run_regular_cmd.set_defaults(func=setup_regular) run_web_identity_cmd = sub.add_parser("web-identity", help="Web identity test") run_web_identity_cmd.set_defaults(func=setup_web_identity) args = parser.parse_args() - args.func() + func_name = args.func.__name__.replace("setup_", "") + LOGGER.info("Running aws_tester.py with %s...", func_name) + creds = args.func() + handle_creds(creds) + LOGGER.info("Running aws_tester.py with %s... done.", func_name) if __name__ == "__main__": diff --git a/.gitignore b/.gitignore index 8479ac011..82a4cc0dd 100644 --- a/.gitignore +++ b/.gitignore @@ -88,6 +88,7 @@ evergreen_config_generator/dist *-expansion.yml secrets-export.sh token_file.txt +test-env.sh # Virtual envs .venv From c94b0bdc3cc00ad9e5e79479932e2d2d81c782f4 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sat, 15 Feb 2025 10:01:11 -0600 Subject: [PATCH 02/48] fix typo --- .evergreen/auth_aws/aws_setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index 306ea06b1..5d9d2ea9b 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -20,7 +20,7 @@ pushd $SCRIPT_DIR if [ ! -f "./secrets-export.sh" ]; then bash ./setup-secrets.sh fi -source .secrets-export.sh +source ./secrets-export.sh python aws_tester.py "$1" source $SCRIPT_DIR/test-env.sh From 07078cccafeb4ce6370b3944064cb83016655f71 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sat, 15 Feb 2025 10:09:28 -0600 Subject: [PATCH 03/48] fix path --- .evergreen/auth_aws/aws_tester.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/aws_tester.py b/.evergreen/auth_aws/aws_tester.py index 9d7b95130..6a52bd91a 100755 --- a/.evergreen/auth_aws/aws_tester.py +++ b/.evergreen/auth_aws/aws_tester.py @@ -25,7 +25,7 @@ def join(*parts): return os.path.join(*parts).replace(os.sep, "/") -sys.path.insert(0, HERE / "lib") +sys.path.insert(0, str(HERE / "lib")) from aws_assign_instance_profile import _assign_instance_policy from aws_assume_role import _assume_role from aws_assume_web_role import _assume_role_with_web_identity From b6437d3a9ffd39fae1123606d54dfae21a00bfe9 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sat, 15 Feb 2025 13:03:32 -0600 Subject: [PATCH 04/48] use export --- .evergreen/auth_aws/aws_tester.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/aws_tester.py b/.evergreen/auth_aws/aws_tester.py index 6a52bd91a..8e5214540 100755 --- a/.evergreen/auth_aws/aws_tester.py +++ b/.evergreen/auth_aws/aws_tester.py @@ -232,7 +232,7 @@ def handle_creds(creds: dict): fid.write("#!/usr/bin/env bash\n\n") fid.write("set +x\n") for key, value in creds.items(): - fid.write(f"{key}={value}\n") + fid.write(f"export {key}={value}\n") def main(): From 4851288bcbee04180c85a366c933bc2e608ab17f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sat, 15 Feb 2025 21:20:16 -0600 Subject: [PATCH 05/48] fix newline on windows --- .evergreen/auth_aws/aws_tester.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/aws_tester.py b/.evergreen/auth_aws/aws_tester.py index 8e5214540..7e2b9fbe2 100755 --- a/.evergreen/auth_aws/aws_tester.py +++ b/.evergreen/auth_aws/aws_tester.py @@ -228,7 +228,7 @@ def handle_creds(creds: dict): MONGODB_URI = ( f"{MONGODB_URI}&authMechanismProperties=AWS_SESSION_TOKEN:{SESSION_TOKEN}" ) - with (HERE / "test-env.sh").open("w") as fid: + with (HERE / "test-env.sh").open("w", newline="\n") as fid: fid.write("#!/usr/bin/env bash\n\n") fid.write("set +x\n") for key, value in creds.items(): From a81621b98c06789fcad410b9893ae8a3631d8794 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 17 Feb 2025 14:39:40 -0600 Subject: [PATCH 06/48] add mongodb uri --- .evergreen/orchestration/drivers_orchestration.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.evergreen/orchestration/drivers_orchestration.py b/.evergreen/orchestration/drivers_orchestration.py index add9332c1..4ae8574c7 100644 --- a/.evergreen/orchestration/drivers_orchestration.py +++ b/.evergreen/orchestration/drivers_orchestration.py @@ -317,6 +317,8 @@ def run(opts): uri = resp.get("mongodb_auth_uri", resp["mongodb_uri"]) expansion_yaml.touch() expansion_yaml.write_text(expansion_yaml.read_text() + f'\nMONGODB_URI: "{uri}"') + expansion_sh.touch() + expansion_sh.write_text(expansion_sh.read_text() + f'\nMONGODB_URI="{uri}"') uri_txt.write_text(uri) LOGGER.info(f"Cluster URI: {uri}") From 3c18960f61a62779c8862a54a922f7917540a0e7 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 17 Feb 2025 14:40:09 -0600 Subject: [PATCH 07/48] try with new secret --- .evergreen/auth_oidc/azure_func/login.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_oidc/azure_func/login.sh b/.evergreen/auth_oidc/azure_func/login.sh index 05a96a426..92f02b382 100755 --- a/.evergreen/auth_oidc/azure_func/login.sh +++ b/.evergreen/auth_oidc/azure_func/login.sh @@ -13,7 +13,7 @@ fi source ./secrets-export.sh export AZUREKMS_TENANTID=$AZUREOIDC_TENANTID -export AZUREKMS_SECRET=$AZUREOIDC_SECRET +export AZUREKMS_SECRET=$AZUREOIDC_SECRET2 export AZUREKMS_CLIENTID=$AZUREOIDC_APPID "$DRIVERS_TOOLS"/.evergreen/csfle/azurekms/login.sh From 024b746cf0cfda20bb55b464ce79de70444a5a3e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 06:11:55 -0600 Subject: [PATCH 08/48] Use standard admin --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index 856a7fc76..2d24835b9 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -11,8 +11,13 @@ const AWS_ACCOUNT_ARN = "arn:aws:sts::557821124784:assumed-role/ecsTaskExecution const external = Mongo().getDB("$external"); const admin = Mongo().getDB("admin"); +// Add standard admin. +admin.runCommand({createUser: "bob", pwd: "pwd123", roles: ['root']}); + +// Add other admin for backwards compatibility. admin.runCommand({createUser: "admin", pwd: "pwd", roles: ['root']}); -admin.auth("admin", "pwd"); + +admin.auth("bob", "pwd123"); external.runCommand({createUser: AWS_ACCOUNT_ARN, roles:[{role: 'read', db: "aws"}]}); From 5e44b66095304e0c73d649bef9fbf9a522afcd04 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 06:24:45 -0600 Subject: [PATCH 09/48] popd --- .evergreen/auth_aws/aws_setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index 5d9d2ea9b..fc67a65d7 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -24,3 +24,5 @@ source ./secrets-export.sh python aws_tester.py "$1" source $SCRIPT_DIR/test-env.sh + +popd From 02b5ecfffd65dfa3aa8d617ac0165339e1e7bf2f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 06:46:00 -0600 Subject: [PATCH 10/48] debug --- .evergreen/auth_aws/aws_setup.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index fc67a65d7..b9ba4ac96 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -24,5 +24,6 @@ source ./secrets-export.sh python aws_tester.py "$1" source $SCRIPT_DIR/test-env.sh - +cat $SCRIPT_DIR/test-env.sh +exit 1 popd From 439940c97304fd52fca8c8d18a65fc4924b1a4af Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 07:25:02 -0600 Subject: [PATCH 11/48] fix handling of mongodb_uri --- .evergreen/auth_aws/aws_tester.py | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/auth_aws/aws_tester.py b/.evergreen/auth_aws/aws_tester.py index 7e2b9fbe2..4de020c60 100755 --- a/.evergreen/auth_aws/aws_tester.py +++ b/.evergreen/auth_aws/aws_tester.py @@ -233,6 +233,7 @@ def handle_creds(creds: dict): fid.write("set +x\n") for key, value in creds.items(): fid.write(f"export {key}={value}\n") + fid.write(f"export MONGODB_URI={MONGODB_URI}\n") def main(): From 652fc2c402f16b2723384dfc58d7be8fd40a38e6 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 07:43:34 -0600 Subject: [PATCH 12/48] remove debug --- .evergreen/auth_aws/aws_setup.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index b9ba4ac96..fc67a65d7 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -24,6 +24,5 @@ source ./secrets-export.sh python aws_tester.py "$1" source $SCRIPT_DIR/test-env.sh -cat $SCRIPT_DIR/test-env.sh -exit 1 + popd From b2a1d84486ab09b5b80b91a203fbc9dc5d2e5b12 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 09:41:23 -0600 Subject: [PATCH 13/48] handle quoting --- .evergreen/auth_aws/aws_tester.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.evergreen/auth_aws/aws_tester.py b/.evergreen/auth_aws/aws_tester.py index 4de020c60..402962c27 100755 --- a/.evergreen/auth_aws/aws_tester.py +++ b/.evergreen/auth_aws/aws_tester.py @@ -217,14 +217,14 @@ def setup_web_identity(): def handle_creds(creds: dict): if "USER" in creds: - USER = creds.pop("USER") - PASS = creds.pop("PASS") + USER = quote_plus(creds.pop("USER")) + PASS = quote_plus(creds.pop("PASS")) MONGODB_URI = f"mongodb://{USER}:{PASS}localhost" else: MONGODB_URI = "mongodb://localhost" MONGODB_URI = f"{MONGODB_URI}/aws?authMechanism=MONGODB-AWS" if "SESSION_TOKEN" in creds: - SESSION_TOKEN = creds.pop("SESSION_TOKEN") + SESSION_TOKEN = quote_plus(creds.pop("SESSION_TOKEN")) MONGODB_URI = ( f"{MONGODB_URI}&authMechanismProperties=AWS_SESSION_TOKEN:{SESSION_TOKEN}" ) From 348ddabebe34cf0563310caa1a6444f1925bcd88 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 09:47:22 -0600 Subject: [PATCH 14/48] fix missing char --- .evergreen/auth_aws/aws_tester.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/aws_tester.py b/.evergreen/auth_aws/aws_tester.py index 402962c27..8ee339955 100755 --- a/.evergreen/auth_aws/aws_tester.py +++ b/.evergreen/auth_aws/aws_tester.py @@ -219,7 +219,7 @@ def handle_creds(creds: dict): if "USER" in creds: USER = quote_plus(creds.pop("USER")) PASS = quote_plus(creds.pop("PASS")) - MONGODB_URI = f"mongodb://{USER}:{PASS}localhost" + MONGODB_URI = f"mongodb://{USER}:{PASS}@localhost" else: MONGODB_URI = "mongodb://localhost" MONGODB_URI = f"{MONGODB_URI}/aws?authMechanism=MONGODB-AWS" From 0a478183adb25a9f535648194c12648b3da8ee1b Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 10:12:53 -0600 Subject: [PATCH 15/48] use new user --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index 2d24835b9..178366c54 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -6,7 +6,7 @@ "use strict"; // This varies based on hosting ECS task as the account id and role name can vary -const AWS_ACCOUNT_ARN = "arn:aws:sts::557821124784:assumed-role/ecsTaskExecutionRole/*"; +const AWS_ACCOUNT_ARN = "arn:aws:iam::557821124784:user/authtest_fargate_user"; const external = Mongo().getDB("$external"); const admin = Mongo().getDB("admin"); From 45b2b773992789daf66cf69e8524269cec99032f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 10:45:46 -0600 Subject: [PATCH 16/48] add debug --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index 178366c54..6aa6b0b73 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -19,6 +19,7 @@ admin.runCommand({createUser: "admin", pwd: "pwd", roles: ['root']}); admin.auth("bob", "pwd123"); +console.log("Adding user:", AWS_ACCOUNT_ARN) external.runCommand({createUser: AWS_ACCOUNT_ARN, roles:[{role: 'read', db: "aws"}]}); // Try the auth function From b142f39987c1ca61d647e4962c2109eddfebda1d Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 10:58:42 -0600 Subject: [PATCH 17/48] revert change --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index 6aa6b0b73..c9bda3a5d 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -6,7 +6,7 @@ "use strict"; // This varies based on hosting ECS task as the account id and role name can vary -const AWS_ACCOUNT_ARN = "arn:aws:iam::557821124784:user/authtest_fargate_user"; +const AWS_ACCOUNT_ARN = "arn:aws:sts::557821124784:assumed-role/ecsTaskExecutionRole/*"; const external = Mongo().getDB("$external"); const admin = Mongo().getDB("admin"); From 9ace3bd8ba6a3c39a36065c2028a92afbe43e8e7 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 12:34:14 -0600 Subject: [PATCH 18/48] add both users --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index c9bda3a5d..c827e6863 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -7,6 +7,7 @@ // This varies based on hosting ECS task as the account id and role name can vary const AWS_ACCOUNT_ARN = "arn:aws:sts::557821124784:assumed-role/ecsTaskExecutionRole/*"; +const AWS_ACCOUNT_ARN2 = "arn:aws:iam::557821124784:user/authtest_fargate_user"; const external = Mongo().getDB("$external"); const admin = Mongo().getDB("admin"); @@ -21,6 +22,8 @@ admin.auth("bob", "pwd123"); console.log("Adding user:", AWS_ACCOUNT_ARN) external.runCommand({createUser: AWS_ACCOUNT_ARN, roles:[{role: 'read', db: "aws"}]}); +console.log("Adding user:", AWS_ACCOUNT_ARN2) +external.runCommand({createUser: AWS_ACCOUNT_ARN2, roles:[{role: 'read', db: "aws"}]}); // Try the auth function const testConn = new Mongo(); From 7e6a9967232b68dcae8b6650e5a7d04632e09798 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 18 Feb 2025 12:45:20 -0600 Subject: [PATCH 19/48] do not add bob user --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index c827e6863..e24d4958f 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -12,14 +12,8 @@ const AWS_ACCOUNT_ARN2 = "arn:aws:iam::557821124784:user/authtest_fargate_user"; const external = Mongo().getDB("$external"); const admin = Mongo().getDB("admin"); -// Add standard admin. -admin.runCommand({createUser: "bob", pwd: "pwd123", roles: ['root']}); - -// Add other admin for backwards compatibility. admin.runCommand({createUser: "admin", pwd: "pwd", roles: ['root']}); -admin.auth("bob", "pwd123"); - console.log("Adding user:", AWS_ACCOUNT_ARN) external.runCommand({createUser: AWS_ACCOUNT_ARN, roles:[{role: 'read', db: "aws"}]}); console.log("Adding user:", AWS_ACCOUNT_ARN2) From 2b4df1a92e2ae45f08c4fa95047000b121f9fe40 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 08:38:47 -0600 Subject: [PATCH 20/48] cleanup --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 6 +++--- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 14 +++++++++----- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index e24d4958f..520db7fb8 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -20,7 +20,7 @@ console.log("Adding user:", AWS_ACCOUNT_ARN2) external.runCommand({createUser: AWS_ACCOUNT_ARN2, roles:[{role: 'read', db: "aws"}]}); // Try the auth function -const testConn = new Mongo(); -const testExternal = testConn.getDB('$external'); -assert(testExternal.auth({mechanism: 'MONGODB-AWS'})); +// const testConn = new Mongo(); +// const testExternal = testConn.getDB('$external'); +// assert(testExternal.auth({mechanism: 'MONGODB-AWS'})); }()); diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index dfe681846..925145512 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -1,20 +1,24 @@ #!/usr/bin/env bash # A shell script to run in an ECS hosted task -set -e +set -eu echo "Running ECS hosted test..." # The environment variable is always set during interactive logins # But for non-interactive logs, ~/.bashrc does not appear to be read on Ubuntu but it works on Fedora -[[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" +[[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" env mkdir -p /data/db || true - -/root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" +mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" sleep 1 -/root/mongosh --verbose ecs_hosted_test.js +mongosh --verbose ecs_hosted_test.js + +# Restart the server with auth enabled. +mongosh --eval "db.adminCommand( { shutdown: 1 } )" || true +mongod --fork --auth --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" + bash /root/src/.evergreen/run-mongodb-aws-ecs-test.sh "mongodb://localhost/aws?authMechanism=MONGODB-AWS" echo "Running ECS hosted test... done." From a26fb94bf5e9ec5730e7cd248726be1fc674b133 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 09:27:24 -0600 Subject: [PATCH 21/48] fix usage --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 925145512..927ee4c3b 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -11,13 +11,13 @@ echo "Running ECS hosted test..." env mkdir -p /data/db || true -mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" +/root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" sleep 1 -mongosh --verbose ecs_hosted_test.js +/root/mongosh --verbose ecs_hosted_test.js # Restart the server with auth enabled. -mongosh --eval "db.adminCommand( { shutdown: 1 } )" || true -mongod --fork --auth --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" +/root/mongosh --eval "db.adminCommand( { shutdown: 1 } )" || true +/root/mongod --fork --auth --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" bash /root/src/.evergreen/run-mongodb-aws-ecs-test.sh "mongodb://localhost/aws?authMechanism=MONGODB-AWS" From 3fc080141b61c95e3289e1ecd5d01197b8a984d7 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 09:46:08 -0600 Subject: [PATCH 22/48] revert change --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 6 +++--- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 4 ---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index 520db7fb8..e24d4958f 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -20,7 +20,7 @@ console.log("Adding user:", AWS_ACCOUNT_ARN2) external.runCommand({createUser: AWS_ACCOUNT_ARN2, roles:[{role: 'read', db: "aws"}]}); // Try the auth function -// const testConn = new Mongo(); -// const testExternal = testConn.getDB('$external'); -// assert(testExternal.auth({mechanism: 'MONGODB-AWS'})); +const testConn = new Mongo(); +const testExternal = testConn.getDB('$external'); +assert(testExternal.auth({mechanism: 'MONGODB-AWS'})); }()); diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 927ee4c3b..40363022f 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -15,10 +15,6 @@ mkdir -p /data/db || true sleep 1 /root/mongosh --verbose ecs_hosted_test.js -# Restart the server with auth enabled. -/root/mongosh --eval "db.adminCommand( { shutdown: 1 } )" || true -/root/mongod --fork --auth --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" - bash /root/src/.evergreen/run-mongodb-aws-ecs-test.sh "mongodb://localhost/aws?authMechanism=MONGODB-AWS" echo "Running ECS hosted test... done." From f19589abf8b4e33d95bf8dca314626fa92385ce9 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 10:41:26 -0600 Subject: [PATCH 23/48] do not load second user --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index e24d4958f..bdc490953 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -16,8 +16,8 @@ admin.runCommand({createUser: "admin", pwd: "pwd", roles: ['root']}); console.log("Adding user:", AWS_ACCOUNT_ARN) external.runCommand({createUser: AWS_ACCOUNT_ARN, roles:[{role: 'read', db: "aws"}]}); -console.log("Adding user:", AWS_ACCOUNT_ARN2) -external.runCommand({createUser: AWS_ACCOUNT_ARN2, roles:[{role: 'read', db: "aws"}]}); +// console.log("Adding user:", AWS_ACCOUNT_ARN2) +// external.runCommand({createUser: AWS_ACCOUNT_ARN2, roles:[{role: 'read', db: "aws"}]}); // Try the auth function const testConn = new Mongo(); From 01f24d4eac0267632f23e48501b86640d80398c9 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 11:09:19 -0600 Subject: [PATCH 24/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 40363022f..77469e3f4 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -8,6 +8,7 @@ echo "Running ECS hosted test..." # But for non-interactive logs, ~/.bashrc does not appear to be read on Ubuntu but it works on Fedora [[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" +curl http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI/creds env mkdir -p /data/db || true From 635489c94797e0354dba63ee108666e34b294201 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 13:00:41 -0600 Subject: [PATCH 25/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 77469e3f4..b1af0bad8 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -10,6 +10,7 @@ echo "Running ECS hosted test..." curl http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI/creds env +aws sts get-caller-identity mkdir -p /data/db || true /root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" From 396e976839f1183351540ebf7692a576fe3eb918 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 13:01:35 -0600 Subject: [PATCH 26/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index b1af0bad8..c48038e07 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -11,7 +11,7 @@ echo "Running ECS hosted test..." curl http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI/creds env aws sts get-caller-identity - +exit 1 mkdir -p /data/db || true /root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" sleep 1 From 8f4a7e315681b82e0253bdca5ae40917a52edda6 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 14:09:17 -0600 Subject: [PATCH 27/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index c48038e07..1e3ffd786 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -8,7 +8,11 @@ echo "Running ECS hosted test..." # But for non-interactive logs, ~/.bashrc does not appear to be read on Ubuntu but it works on Fedora [[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" -curl http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI/creds +curl http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI +TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30"` +ROLE_NAME=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ -H "X-aws-ec2-metadata-token: $TOKEN"` +echo "Hello, $ROLE_NAME" + env aws sts get-caller-identity exit 1 From f2eaf2d82c607c371a30dba343fca79ec24ef5d1 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 14:52:03 -0600 Subject: [PATCH 28/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 1e3ffd786..a66696feb 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -8,10 +8,10 @@ echo "Running ECS hosted test..." # But for non-interactive logs, ~/.bashrc does not appear to be read on Ubuntu but it works on Fedora [[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" -curl http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30"` -ROLE_NAME=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ -H "X-aws-ec2-metadata-token: $TOKEN"` -echo "Hello, $ROLE_NAME" +curl -o foo.txt http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI +cat foo.txt +exit 1 + env aws sts get-caller-identity From cbb86b189ad390a9c2521bd3f9f89ad80d0ba1f6 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 15:34:03 -0600 Subject: [PATCH 29/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index a66696feb..7ebfc339e 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -8,13 +8,9 @@ echo "Running ECS hosted test..." # But for non-interactive logs, ~/.bashrc does not appear to be read on Ubuntu but it works on Fedora [[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" -curl -o foo.txt http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -cat foo.txt -exit 1 - - +curl --verbose http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI +echo "hello" env -aws sts get-caller-identity exit 1 mkdir -p /data/db || true /root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" From d4a061869f798354babffee5b373efee7d20182b Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 15:46:34 -0600 Subject: [PATCH 30/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 7ebfc339e..74a23fddb 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -8,7 +8,7 @@ echo "Running ECS hosted test..." # But for non-interactive logs, ~/.bashrc does not appear to be read on Ubuntu but it works on Fedora [[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" -curl --verbose http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI +curl -L --verbose http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI echo "hello" env exit 1 From 5c74dc9f030c096bbc638061a54428868eef8b44 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 15:58:19 -0600 Subject: [PATCH 31/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 74a23fddb..ec0622464 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # A shell script to run in an ECS hosted task -set -eu +set -eux echo "Running ECS hosted test..." @@ -11,6 +11,7 @@ echo "Running ECS hosted test..." curl -L --verbose http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI echo "hello" env +cat ~/.aws/credentials exit 1 mkdir -p /data/db || true /root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" From 0c41af1bb54f578ef85fa479aeeff3fb31f99ce7 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 19:11:14 -0600 Subject: [PATCH 32/48] debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index ec0622464..018d119f7 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -9,9 +9,10 @@ echo "Running ECS hosted test..." [[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" curl -L --verbose http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -echo "hello" +TOKEN=`curl -L -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30"` +ROLE_NAME=`curl -L http://169.254.169.254/latest/meta-data/iam/security-credentials/ -H "X-aws-ec2-metadata-token: $TOKEN"` +echo "ROLE_NAME=$ROLE_NAME" env -cat ~/.aws/credentials exit 1 mkdir -p /data/db || true /root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" From 77a245bf80dba1cc3f9d56cc585f1c2c8717121a Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 19:27:35 -0600 Subject: [PATCH 33/48] undo debug --- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 018d119f7..32544d3fb 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -8,12 +8,7 @@ echo "Running ECS hosted test..." # But for non-interactive logs, ~/.bashrc does not appear to be read on Ubuntu but it works on Fedora [[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" -curl -L --verbose http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -TOKEN=`curl -L -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30"` -ROLE_NAME=`curl -L http://169.254.169.254/latest/meta-data/iam/security-credentials/ -H "X-aws-ec2-metadata-token: $TOKEN"` -echo "ROLE_NAME=$ROLE_NAME" env -exit 1 mkdir -p /data/db || true /root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" sleep 1 From f3d7ee3a5244cdada242b50c751fb27fd9b04378 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 19 Feb 2025 21:29:12 -0600 Subject: [PATCH 34/48] undo unrelated changes --- .evergreen/auth_aws/lib/ecs_hosted_test.js | 5 +---- .evergreen/auth_aws/lib/ecs_hosted_test.sh | 7 ++++--- .evergreen/auth_oidc/azure_func/login.sh | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.js b/.evergreen/auth_aws/lib/ecs_hosted_test.js index bdc490953..856a7fc76 100644 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.js +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.js @@ -7,17 +7,14 @@ // This varies based on hosting ECS task as the account id and role name can vary const AWS_ACCOUNT_ARN = "arn:aws:sts::557821124784:assumed-role/ecsTaskExecutionRole/*"; -const AWS_ACCOUNT_ARN2 = "arn:aws:iam::557821124784:user/authtest_fargate_user"; const external = Mongo().getDB("$external"); const admin = Mongo().getDB("admin"); admin.runCommand({createUser: "admin", pwd: "pwd", roles: ['root']}); +admin.auth("admin", "pwd"); -console.log("Adding user:", AWS_ACCOUNT_ARN) external.runCommand({createUser: AWS_ACCOUNT_ARN, roles:[{role: 'read', db: "aws"}]}); -// console.log("Adding user:", AWS_ACCOUNT_ARN2) -// external.runCommand({createUser: AWS_ACCOUNT_ARN2, roles:[{role: 'read', db: "aws"}]}); // Try the auth function const testConn = new Mongo(); diff --git a/.evergreen/auth_aws/lib/ecs_hosted_test.sh b/.evergreen/auth_aws/lib/ecs_hosted_test.sh index 32544d3fb..dfe681846 100755 --- a/.evergreen/auth_aws/lib/ecs_hosted_test.sh +++ b/.evergreen/auth_aws/lib/ecs_hosted_test.sh @@ -1,19 +1,20 @@ #!/usr/bin/env bash # A shell script to run in an ECS hosted task -set -eux +set -e echo "Running ECS hosted test..." # The environment variable is always set during interactive logins # But for non-interactive logs, ~/.bashrc does not appear to be read on Ubuntu but it works on Fedora -[[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" +[[ -z "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}" ]] && export "$(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)" env + mkdir -p /data/db || true + /root/mongod --fork --logpath server.log --setParameter authenticationMechanisms="MONGODB-AWS,SCRAM-SHA-256" sleep 1 /root/mongosh --verbose ecs_hosted_test.js - bash /root/src/.evergreen/run-mongodb-aws-ecs-test.sh "mongodb://localhost/aws?authMechanism=MONGODB-AWS" echo "Running ECS hosted test... done." diff --git a/.evergreen/auth_oidc/azure_func/login.sh b/.evergreen/auth_oidc/azure_func/login.sh index 92f02b382..05a96a426 100755 --- a/.evergreen/auth_oidc/azure_func/login.sh +++ b/.evergreen/auth_oidc/azure_func/login.sh @@ -13,7 +13,7 @@ fi source ./secrets-export.sh export AZUREKMS_TENANTID=$AZUREOIDC_TENANTID -export AZUREKMS_SECRET=$AZUREOIDC_SECRET2 +export AZUREKMS_SECRET=$AZUREOIDC_SECRET export AZUREKMS_CLIENTID=$AZUREOIDC_APPID "$DRIVERS_TOOLS"/.evergreen/csfle/azurekms/login.sh From b33d28cac91734edb90fb6ffa48fa709675802e5 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 26 Feb 2025 06:40:03 -0600 Subject: [PATCH 35/48] remove test.env --- .evergreen/auth_aws/aws_setup.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index fc67a65d7..f2f14f9dc 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -22,6 +22,10 @@ if [ ! -f "./secrets-export.sh" ]; then fi source ./secrets-export.sh +if [ -f $SCRIPT_DIR/test-env.sh ]; then + rm $SCRIPT_DIR/test-env.sh +fi + python aws_tester.py "$1" source $SCRIPT_DIR/test-env.sh From c9049e3464906448ebd24256e9fae5f57a0ed14f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 26 Feb 2025 07:22:38 -0600 Subject: [PATCH 36/48] clean up env vars --- .evergreen/auth_aws/aws_setup.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index f2f14f9dc..9fcde9265 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -20,6 +20,12 @@ pushd $SCRIPT_DIR if [ ! -f "./secrets-export.sh" ]; then bash ./setup-secrets.sh fi + +# Remove any AWS creds that might be set in the parent env. +unset AWS_ACCESS_KEY_ID +unset AWS_SECRET_ACCESS_KEY +unset AWS_SESSION_TOKEN + source ./secrets-export.sh if [ -f $SCRIPT_DIR/test-env.sh ]; then From 4291bd595c8219ccc010e1d5fb73e494f55beadb Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 05:28:34 -0600 Subject: [PATCH 37/48] undo env removal --- .evergreen/auth_aws/aws_setup.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index 9fcde9265..9eaad2296 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -21,11 +21,6 @@ if [ ! -f "./secrets-export.sh" ]; then bash ./setup-secrets.sh fi -# Remove any AWS creds that might be set in the parent env. -unset AWS_ACCESS_KEY_ID -unset AWS_SECRET_ACCESS_KEY -unset AWS_SESSION_TOKEN - source ./secrets-export.sh if [ -f $SCRIPT_DIR/test-env.sh ]; then From 47233a03b1ba902241df3a195b6167b75a276015 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 07:09:31 -0600 Subject: [PATCH 38/48] avoid double quoting --- .evergreen/auth_aws/aws_tester.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/aws_tester.py b/.evergreen/auth_aws/aws_tester.py index 8ee339955..55af2a93e 100755 --- a/.evergreen/auth_aws/aws_tester.py +++ b/.evergreen/auth_aws/aws_tester.py @@ -91,7 +91,11 @@ def setup_assume_role(): authmechanismproperties=f"AWS_SESSION_TOKEN:{token}", ) create_user(ASSUMED_ROLE, kwargs) - return dict(USER=kwargs["username"], PASS=kwargs["password"], SESSION_TOKEN=token) + return dict( + USER=kwargs["username"], + PASS=kwargs["password"], + SESSION_TOKEN=creds["SessionToken"], + ) def setup_ec2(): From 4bb2f40e0edf006b12d6e73d131aa7dbb6d98c6e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 07:15:34 -0600 Subject: [PATCH 39/48] remove creds --- .evergreen/auth_aws/aws_setup.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.evergreen/auth_aws/aws_setup.sh b/.evergreen/auth_aws/aws_setup.sh index 9eaad2296..9fcde9265 100755 --- a/.evergreen/auth_aws/aws_setup.sh +++ b/.evergreen/auth_aws/aws_setup.sh @@ -21,6 +21,11 @@ if [ ! -f "./secrets-export.sh" ]; then bash ./setup-secrets.sh fi +# Remove any AWS creds that might be set in the parent env. +unset AWS_ACCESS_KEY_ID +unset AWS_SECRET_ACCESS_KEY +unset AWS_SESSION_TOKEN + source ./secrets-export.sh if [ -f $SCRIPT_DIR/test-env.sh ]; then From 75c9e0783ecb1b01dcb9a29f99265a6a08d7c275 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 13:16:25 -0600 Subject: [PATCH 40/48] fix aws teardown --- .evergreen/auth_aws/teardown.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/auth_aws/teardown.sh b/.evergreen/auth_aws/teardown.sh index 449c3553e..2c38aca27 100755 --- a/.evergreen/auth_aws/teardown.sh +++ b/.evergreen/auth_aws/teardown.sh @@ -10,6 +10,7 @@ pushd $SCRIPT_DIR # If we've gotten credentials, ensure the instance profile is set. if [ -f secrets-export.sh ]; then . ./activate-authawsvenv.sh + source secrets-export.sh python ./lib/aws_assign_instance_profile.py fi From 927b95b5770d18e853b1009c3761af1e91a80e8a Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 13:51:18 -0600 Subject: [PATCH 41/48] debug --- .evergreen/auth_aws/teardown.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/auth_aws/teardown.sh b/.evergreen/auth_aws/teardown.sh index 2c38aca27..0f007a293 100755 --- a/.evergreen/auth_aws/teardown.sh +++ b/.evergreen/auth_aws/teardown.sh @@ -10,6 +10,7 @@ pushd $SCRIPT_DIR # If we've gotten credentials, ensure the instance profile is set. if [ -f secrets-export.sh ]; then . ./activate-authawsvenv.sh + echo "SOURCING SECRETS!" source secrets-export.sh python ./lib/aws_assign_instance_profile.py fi From ca423797145ee5e3419e3c1a1889cd22e773953c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 15:00:38 -0600 Subject: [PATCH 42/48] debug --- .evergreen/auth_aws/lib/aws_assign_instance_profile.py | 2 +- .evergreen/auth_aws/teardown.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.evergreen/auth_aws/lib/aws_assign_instance_profile.py b/.evergreen/auth_aws/lib/aws_assign_instance_profile.py index be3028a6b..123e7d732 100755 --- a/.evergreen/auth_aws/lib/aws_assign_instance_profile.py +++ b/.evergreen/auth_aws/lib/aws_assign_instance_profile.py @@ -36,9 +36,9 @@ def _has_instance_profile(): print("Reading: " + base_url) iam_role = urllib.request.urlopen(base_url).read().decode() except urllib.error.HTTPError as e: - print(e) if e.code == 404: return False + print(e) raise e try: diff --git a/.evergreen/auth_aws/teardown.sh b/.evergreen/auth_aws/teardown.sh index 0f007a293..d3c53dcd7 100755 --- a/.evergreen/auth_aws/teardown.sh +++ b/.evergreen/auth_aws/teardown.sh @@ -11,6 +11,7 @@ pushd $SCRIPT_DIR if [ -f secrets-export.sh ]; then . ./activate-authawsvenv.sh echo "SOURCING SECRETS!" + env | grep "AWS_ACCESS_KEY_ID" source secrets-export.sh python ./lib/aws_assign_instance_profile.py fi From 0209b78d651337b672b4b09f4410398792da8653 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 16:39:54 -0600 Subject: [PATCH 43/48] debug --- .evergreen/auth_aws/teardown.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.evergreen/auth_aws/teardown.sh b/.evergreen/auth_aws/teardown.sh index d3c53dcd7..16e0a1c2d 100755 --- a/.evergreen/auth_aws/teardown.sh +++ b/.evergreen/auth_aws/teardown.sh @@ -10,6 +10,8 @@ pushd $SCRIPT_DIR # If we've gotten credentials, ensure the instance profile is set. if [ -f secrets-export.sh ]; then . ./activate-authawsvenv.sh + set -x + env | grep "AWS_ACCESS_KEY_ID" echo "SOURCING SECRETS!" env | grep "AWS_ACCESS_KEY_ID" source secrets-export.sh From b82546ce1b3e821d8474e048b08fc04aff77f822 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 16:47:10 -0600 Subject: [PATCH 44/48] debug --- .evergreen/auth_aws/teardown.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/auth_aws/teardown.sh b/.evergreen/auth_aws/teardown.sh index 16e0a1c2d..912d0c043 100755 --- a/.evergreen/auth_aws/teardown.sh +++ b/.evergreen/auth_aws/teardown.sh @@ -10,6 +10,7 @@ pushd $SCRIPT_DIR # If we've gotten credentials, ensure the instance profile is set. if [ -f secrets-export.sh ]; then . ./activate-authawsvenv.sh + unset AWS_ACCESS_KEY_ID set -x env | grep "AWS_ACCESS_KEY_ID" echo "SOURCING SECRETS!" From f47012dc0a39c1ad353bc6db901c3340cd520132 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 27 Feb 2025 17:51:37 -0600 Subject: [PATCH 45/48] debug --- .evergreen/auth_aws/teardown.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.evergreen/auth_aws/teardown.sh b/.evergreen/auth_aws/teardown.sh index 912d0c043..2c38aca27 100755 --- a/.evergreen/auth_aws/teardown.sh +++ b/.evergreen/auth_aws/teardown.sh @@ -10,11 +10,6 @@ pushd $SCRIPT_DIR # If we've gotten credentials, ensure the instance profile is set. if [ -f secrets-export.sh ]; then . ./activate-authawsvenv.sh - unset AWS_ACCESS_KEY_ID - set -x - env | grep "AWS_ACCESS_KEY_ID" - echo "SOURCING SECRETS!" - env | grep "AWS_ACCESS_KEY_ID" source secrets-export.sh python ./lib/aws_assign_instance_profile.py fi From f2378c094c6e98d819f1c73cd2ac9886e4b79191 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sun, 2 Mar 2025 10:49:22 -0600 Subject: [PATCH 46/48] add auth_aws option --- .evergreen/orchestration/drivers_orchestration.py | 11 +++++++++-- .evergreen/run-orchestration.sh | 1 + 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.evergreen/orchestration/drivers_orchestration.py b/.evergreen/orchestration/drivers_orchestration.py index d940fd923..06c762b0c 100644 --- a/.evergreen/orchestration/drivers_orchestration.py +++ b/.evergreen/orchestration/drivers_orchestration.py @@ -53,8 +53,7 @@ def get_options(): parser.add_argument( "--topology", choices=["standalone", "replica_set", "sharded_cluster"], - default="standalone", - help="The topology of the server deployment", + help="The topology of the server deployment (defaults to standalone in most cases)", ) parser.add_argument( "--auth", action="store_true", help="Whether to add authentication" @@ -70,6 +69,9 @@ def get_options(): other_group.add_argument( "--load-balancer", action="store_true", help="Whether to use a load balancer" ) + other_group.add_argument( + "--auth-aws", action="store_true", help="Whether to use MONGODB-AWS auth" + ) other_group.add_argument( "--skip-crypt-shared", action="store_true", @@ -140,6 +142,11 @@ def get_options(): opts.mongo_orchestration_home = DRIVERS_TOOLS / ".evergreen/orchestration" if opts.mongodb_binaries is None: opts.mongodb_binaries = DRIVERS_TOOLS / "mongodb/bin" + if not opts.topology and opts.load_balancer: + opts.topology = "sharded_cluster" + if opts.auth_aws: + opts.auth = True + opts.orchestration_file = "auth-aws.json" if opts.topology == "standalone" or not opts.topology: opts.topology = "server" if not opts.version: diff --git a/.evergreen/run-orchestration.sh b/.evergreen/run-orchestration.sh index de925ddec..a1f872332 100755 --- a/.evergreen/run-orchestration.sh +++ b/.evergreen/run-orchestration.sh @@ -15,6 +15,7 @@ set -eu # SKIP_CRYPT_SHARED Set to a non-empty string to skip downloading crypt_shared # MONGODB_BINARIES Set the path to the MONGODB_BINARIES for mongo orchestration. # LOAD_BALANCER Set to a non-empty string to enable load balancer. Only supported for sharded clusters. +# AUTH_AWS Set to a non-empty string to enable MONGODB-AWS authentication. # PYTHON Set the Python binary to use. # INSTALL_LEGACY_SHELL Set to a non-empty string to install the legacy mongo shell. # TLS_CERT_KEY_FILE Set a .pem file to be used as the tlsCertificateKeyFile option in mongo-orchestration From ce946382ffa787f9beb6ef1229c840792d6d5b4a Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sun, 2 Mar 2025 10:55:44 -0600 Subject: [PATCH 47/48] clean up help --- .evergreen/orchestration/drivers_orchestration.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.evergreen/orchestration/drivers_orchestration.py b/.evergreen/orchestration/drivers_orchestration.py index 06c762b0c..5e4e08efd 100644 --- a/.evergreen/orchestration/drivers_orchestration.py +++ b/.evergreen/orchestration/drivers_orchestration.py @@ -47,13 +47,13 @@ def get_options(): parser.add_argument( "--version", default="latest", - help='The version to download (Required). Use "latest" to download ' + help='The version to download. Use "latest" to download ' "the newest available version (including release candidates).", ) parser.add_argument( "--topology", choices=["standalone", "replica_set", "sharded_cluster"], - help="The topology of the server deployment (defaults to standalone in most cases)", + help="The topology of the server deployment (defaults to standalone unless another flag like load_balancer is set)", ) parser.add_argument( "--auth", action="store_true", help="Whether to add authentication" From 852bfcfb148316e1ca76e316d8c529c68f7dc385 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 4 Mar 2025 09:24:33 -0600 Subject: [PATCH 48/48] address review --- .../lib/aws_assign_instance_profile.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.evergreen/auth_aws/lib/aws_assign_instance_profile.py b/.evergreen/auth_aws/lib/aws_assign_instance_profile.py index 123e7d732..c0bb344f9 100755 --- a/.evergreen/auth_aws/lib/aws_assign_instance_profile.py +++ b/.evergreen/auth_aws/lib/aws_assign_instance_profile.py @@ -33,23 +33,23 @@ def _get_local_instance_id(): def _has_instance_profile(): base_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" try: - print("Reading: " + base_url) + LOGGER.info("Reading: " + base_url) iam_role = urllib.request.urlopen(base_url).read().decode() except urllib.error.HTTPError as e: if e.code == 404: return False - print(e) + LOGGER.error(e) raise e try: url = base_url + iam_role - print("Reading: " + url) + LOGGER.info("Reading: " + url) _ = urllib.request.urlopen(url) - print("Assigned " + iam_role) + LOGGER.info("Assigned " + iam_role) except urllib.error.HTTPError as e: - print(e) if e.code == 404: return False + LOGGER.error(e) raise e return True @@ -85,7 +85,7 @@ def _handle_config(): ) return CONFIG[get_key("iam_auth_ec2_instance_profile")] except Exception as e: - print(e) + LOGGER.error(e) return "" @@ -94,7 +94,7 @@ def _handle_config(): def _assign_instance_policy(iam_instance_arn=DEFAULT_ARN): if _has_instance_profile(): - print( + LOGGER.warning( "IMPORTANT: Found machine already has instance profile, skipping the assignment" ) return @@ -112,14 +112,14 @@ def _assign_instance_policy(iam_instance_arn=DEFAULT_ARN): InstanceId=instance_id, ) - print(response) + LOGGER.debug(response) # Wait for the instance profile to be assigned by polling the local instance metadata service _wait_instance_profile() except botocore.exceptions.ClientError as ce: if ce.response["Error"]["Code"] == "RequestLimitExceeded": - print("WARNING: RequestLimitExceeded, exiting with error code 2") + LOGGER.warning("WARNING: RequestLimitExceeded, exiting with error code 2") sys.exit(2) raise