Temporary MONGODB-AWS credentials could not be obtained

Kiran_Hegde · September 22, 2020, 7:26pm

We have connected from AWS EC2 machine using AWS ROLE based authentication.

It throws error for some EC2 machines… some Ec2 works… But both EC2 machine is able to get temporary role authentication from AWS metadata using curl command.

Below is the error when i try to use pymongo[aws]

 File "/usr/lib64/python2.7/site-packages/pymongo/pool.py", line 810, in authenticate
    auth.authenticate(credentials, self)
  File "/usr/lib64/python2.7/site-packages/pymongo/auth.py", line 673, in authenticate
    auth_func(credentials, sock_info)
  File "/usr/lib64/python2.7/site-packages/pymongo/auth_aws.py", line 85, in _authenticate_aws
    exc, pymongo_auth_aws.__version__))
pymongo.errors.OperationFailure: temporary MONGODB-AWS credentials could not be obtained (pymongo-auth-aws version 1.0.1)

$python -c “import pymongo_auth_aws; print(pymongo_auth_aws.version)”

1.0.1

$ python -c “import pymongo; print(pymongo.version); print(pymongo.has_c())”

3.11.0

True

$ python -c “import sys; print(sys.version)”

2.7.18 (default, May 27 2020, 12:45:48)

[GCC 7.3.1 20180712 (Red Hat 7.3.1-6)]

Mark_Smith · September 23, 2020, 2:03pm

Hi @Kiran_Hegde - welcome to MongoDB Community!

I’ve passed your question on to our engineering team, and we’ve tracked down the line of code throwing the error, but can’t work out why this might be happening. I’d suggest looking further into the differences between your EC2 instances to track down what’s failing.

If you do work out what’s happening - please do let us know here - it would be super-helpful if someone has the same problem in future.

Mark

Kiran_Hegde · September 23, 2020, 7:41pm

Thanks Mark… I did some more deep down on this .
Some of the auth code is doing a “post” call to get the temp token to connect.
And it fails to do that . Looks aws not allowing “post” call there… If I do “put” call instead of post below, it works. May be you have to fix this in pymongo code…
Happy to work more. .

headers = {'X-aws-ec2-metadata-token-ttl-seconds': '60'}
res = ***requests.post***(_AWS_EC2_URI+'latest/api/token', headers=headers, timeout=_AWS_HTTP_TIMEOUT)
token = res.content
headers = {'X-aws-ec2-metadata-token': token}
res = requests.get(_AWS_EC2_URI+_AWS_EC2_PATH, headers=headers, timeout=_AWS_HTTP_TIMEOUT)
role = res.text
res = requests.get(_AWS_EC2_URI+_AWS_EC2_PATH+role, headers=headers, timeout=_AWS_HTTP_TIMEOUT)
res_json = res.json()

Shane · September 23, 2020, 10:35pm

Thanks @Kiran_Hegde, this is indeed a bug. I filed a fix for it here: https://jira.mongodb.org/browse/PYTHON-2378

I also have a proposed fix that can be released shortly, here: PYTHON-2378 Use PUT for EC2 token request, not POST by ShaneHarvey · Pull Request #2 · mongodb/pymongo-auth-aws · GitHub

It would be great if you could test out this fix. To test it yourself, install the updated version like this:

python -m pip install --upgrade https://github.com/ShaneHarvey/pymongo-auth-aws/archive/PYTHON-2378.tar.gz

Kiran_Hegde · September 24, 2020, 4:43am

Thanks Shane for a quick fix … It is working .
But we need this from python library directly when I install pymongo[aws]. I am using it inside docker. So it would be good to fix pymong[aws] to implement this in our environment.

Shane · September 24, 2020, 5:42pm

We’ve released pymongo-auth-aws version 1.0.2 so python -m pip install 'pymongo[aws]' will work fine now. Thanks for helping us with the fix @Kiran_Hegde!

Kiran_Hegde · September 25, 2020, 2:42am

Thanks Shane,Mark. Never thought we get a fix so quickly by just putting it in forum.

system · September 30, 2020, 2:42am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.