Skip to content

GODRIVER-3454 Support custom AWS credential provider. #2228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

GODRIVER-3454 Support custom AWS credential provider. #2228

wants to merge 2 commits into from

Conversation

@qingyang-hu
Copy link
Collaborator

GODRIVER-3454
GODRIVER-3615

Summary

Support custom AWS credential provider.

Background & Motivation

@mongodb-drivers-pr-bot
Copy link
Contributor

mongodb-drivers-pr-bot bot commented Oct 25, 2025
edited
Loading

🧪 Performance Results

Commit SHA: 4fea597

The following benchmark tests for version 6903c480cb08c400079f4a12 had statistically significant changes (i.e., |z-score| > 1.96):

Benchmark Measurement % Change Patch Value Stable Region H-Score Z-Score
BenchmarkMultiFindMany total_bytes_allocated -11.8809 669789992.0000 Avg: 760096146.2222
Med: 763743356.0000
Stdev: 36028084.7754		 0.7826 -2.5065
BenchmarkMultiFindMany total_mem_allocs -11.6754 413333.0000 Avg: 467970.6111
Med: 469972.5000
Stdev: 22195.9290		 0.7775 -2.4616
BenchmarkSingleRunCommand total_time_seconds 7.6554 1.2026 Avg: 1.1171
Med: 1.1190
Stdev: 0.0346		 0.7745 2.4685
BenchmarkMultiInsertSmallDocument ns_per_op -5.4593 6231.0000 Avg: 6590.8111
Med: 6581.5000
Stdev: 171.3524		 0.7454 -2.0998
BenchmarkLargeDocInsertOne allocated_bytes_per_op -0.6415 5653.0000 Avg: 5689.5000
Med: 5688.5000
Stdev: 4.7958		 0.9384 -7.6108
BenchmarkSmallDocInsertOne allocated_bytes_per_op -0.6328 5653.0000 Avg: 5689.0000
Med: 5689.0000
Stdev: 4.1633		 0.9444 -8.6469

For a comprehensive view of all microbenchmark results for this PR's commit, please check out the Evergreen perf task for this patch.

@mongodb-drivers-pr-bot
Copy link
Contributor

mongodb-drivers-pr-bot bot commented Oct 25, 2025
edited
Loading

API Change Report

./v2/mongo/options

compatible changes

(*AutoEncryptionOptions).SetCredentialProviders: added
(*ClientEncryptionOptionsBuilder).SetCredentialProviders: added
AutoEncryptionOptions.CredentialProviders: added
ClientEncryptionOptions.CredentialProviders: added
Credential.AwsCredentialsProvider: added
Credentials: added
CredentialsProvider: added

./v2/x/mongo/driver

compatible changes

Cred.AwsCredentialsProvider: added

./v2/x/mongo/driver/auth

incompatible changes

MongoDBAWSAuthenticator: old is comparable, new is not

./v2/x/mongo/driver/mongocrypt/options

compatible changes

(*MongoCryptOptions).SetCredentialProviders: added
MongoCryptOptions.CredentialProviders: added

@qingyang-hu qingyang-hu force-pushed the godriver3615 branch 11 times, most recently from 117f461 to a1b8f64 Compare October 27, 2025 15:42
qingyang-hu
qingyang-hu commented Oct 27, 2025
View reviewed changes
internal/integration/client_side_encryption_prose_test.go
})
}

func TestCustomAwsCredentialsProse(t *testing.T) {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Put this aside from TestClientSideEncryptionProse so Setenv() can be used without being influenced by t.Parallel().

@qingyang-hu qingyang-hu marked this pull request as ready for review October 27, 2025 18:30
@qingyang-hu qingyang-hu requested a review from a team as a code owner October 27, 2025 18:30
@qingyang-hu qingyang-hu requested review from Copilot, matthewdale and prestonvasquez and removed request for prestonvasquez October 27, 2025 18:30
Copilot AI reviewed Oct 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for custom AWS credential providers, enabling applications to supply their own AWS credential retrieval logic for both authentication and client-side encryption. The implementation allows users to provide custom credential providers as a callback function that returns AWS credentials on demand.

Key changes:

  • Added AwsCredentialsProvider callback field to credential options for connection authentication
  • Extended client-side encryption options to support custom credential providers via CredentialProviders map
  • Refactored internal credential provider interface to use context-aware Retrieve(context.Context) method consistently across all provider implementations

Reviewed Changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
mongo/options/clientoptions.go Added AwsCredentialsProvider field and Credentials type to support custom AWS credential callbacks
mongo/options/clientencryptionoptions.go Added CredentialProviders map and setter for custom provider configuration
mongo/options/autoencryptionoptions.go Added CredentialProviders field and setter for auto-encryption provider configuration
x/mongo/driver/topology/topology_options.go Converted user-provided credential provider to internal format during credential conversion
x/mongo/driver/driver.go Added AwsCredentialsProvider field to Cred struct for internal provider storage
x/mongo/driver/auth/mongodbaws.go Integrated custom credential provider into AWS authentication flow
x/mongo/driver/mongocrypt/options/mongocrypt_options.go Added CredentialProviders field to MongoCrypt options
x/mongo/driver/mongocrypt/mongocrypt.go Wired custom credential providers into MongoCrypt initialization
mongo/client.go Converted credential providers for auto-encryption setup
mongo/client_encryption.go Converted credential providers for client encryption setup
internal/credproviders/aws_provider.go New provider implementation that wraps custom AWS credential callbacks
internal/aws/types.go Added public Credentials type for custom provider return values
internal/aws/credentials/credentials.go Unified provider interface to use context-aware Retrieve(context.Context) method
internal/credproviders/*.go Updated all provider implementations to use context-aware retrieval
x/mongo/driver/auth/mongodbaws_test.go Added tests for custom credential provider behavior
internal/integration/client_side_encryption_prose_test.go Added integration tests for custom credential provider scenarios
mongo/client_examples_test.go Added example demonstrating custom credential provider usage

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

internal/credproviders/aws_provider.go Outdated
Comment on lines 43 to 45
if a.credentials == nil || a.credentials.ExpirationCallback == nil {
return true
}
Copy link

Copilot AI Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The IsExpired logic returns true when credentials are nil, which means the provider will always be considered expired before the first retrieval. This forces an immediate retrieval, but if ExpirationCallback is also nil after the first retrieval, it will always return true, causing credentials to be re-fetched on every call. Consider returning a.credentials == nil when ExpirationCallback is nil to avoid unnecessary re-fetching after initial retrieval.

Suggested change
if a.credentials == nil || a.credentials.ExpirationCallback == nil {
return true
}
if a.credentials == nil {
return true
}
if a.credentials.ExpirationCallback == nil {
return false
}

Copilot uses AI. Check for mistakes.
mongo/client.go
Comment on lines 604 to 617
providers[k] = &credproviders.AwsProvider{
Provider: func(ctx context.Context) (aws.Credentials, error) {
var creds aws.Credentials
c, err := fn(ctx)
if err != nil {
return creds, err
}
creds.AccessKeyID = c.AccessKeyID
creds.SecretAccessKey = c.SecretAccessKey
creds.SessionToken = c.SessionToken
creds.ExpirationCallback = c.ExpirationCallback
return creds, nil
},
}
Copy link

Copilot AI Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The closure over fn in the loop may capture the wrong value if the loop variable is reused. While this loop only processes the 'aws' key specifically, consider using a function parameter or declaring fn within the block to ensure correct closure capture: provider := fn before the closure.

Copilot uses AI. Check for mistakes.
mongo/client_encryption.go
Comment on lines 62 to 75
providers[k] = &credproviders.AwsProvider{
Provider: func(ctx context.Context) (aws.Credentials, error) {
var creds aws.Credentials
c, err := fn(ctx)
if err != nil {
return creds, err
}
creds.AccessKeyID = c.AccessKeyID
creds.SecretAccessKey = c.SecretAccessKey
creds.SessionToken = c.SessionToken
creds.ExpirationCallback = c.ExpirationCallback
return creds, nil
},
}
Copy link

Copilot AI Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The closure over fn in the loop may capture the wrong value if the loop variable is reused. While this loop only processes the 'aws' key specifically, consider using a function parameter or declaring fn within the block to ensure correct closure capture: provider := fn before the closure.

Copilot uses AI. Check for mistakes.
@qingyang-hu qingyang-hu marked this pull request as draft October 28, 2025 21:37
@qingyang-hu qingyang-hu marked this pull request as ready for review October 30, 2025 21:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@matthewdale matthewdale Awaiting requested review from matthewdale

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qingyang-hu