Secure mongodb atlas connection with IAM role and access the secure connection from a particular Elstic BeanStalk environment in AWS

0

How to secure mongodb atlas connection with IAM role and access the secure connection from a particular Elstic BeanStalk environment in AWS?

I deployed the project in aws ebs and I want to secure mongodb atlas connection to only this particular environment through IAM role and not by setting IP whiteList because the instance IP is not static.

MONGODB ATLAS: I have followed the below steps to secure mongodb atlas with IAM role:

1.I have added the IAM role ARN to the database access of mongodb atlas.

Please let me know if there are any corrections required from the above steps in configuring the mongodb atlas with IAM role.

AWS:

  1. I have created IAM role that has the neccessary policies for the s3, ec2 instance, and ebs.

  2. what changes should be done in the IAM role to access the mongodb atlas and what policies should I add.

  3. what changes should i make in the ebs.

Creating the mongodb URI I am using the accessKey, secretKey and session token obtained from the aws security token service (STS).

func SecurityTokenService(region string) (*models.TempCredentials, StatusResponse.Status) {

	sess, err := session.NewSessionWithOptions(session.Options{
		Config: aws.Config{Region: aws.String(region)},
	})
	if err != nil {
		return nil, StatusResponse.CustomErrRes(err)
	}

	svc := sts.New(sess)

	input := &sts.AssumeRoleInput{
		RoleArn:         aws.String("arn:aws:iam"),
		RoleSessionName: aws.String("mongodb-session"),
		DurationSeconds: aws.Int64(3600), // Adjust as needed (1 hour)
	}

	output, err := svc.AssumeRoleWithContext(context.Background(), input)
	if err != nil {
		return nil, StatusResponse.CustomErrRes(err)
	}

	// Extract temporary credentials
	accessKeyID := *output.Credentials.AccessKeyId
	secretAccessKey := *output.Credentials.SecretAccessKey
	sessionToken := *output.Credentials.SessionToken

	credentials := models.TempCredentials{
		AccessKey:    accessKeyID,
		SecretKey:    url.QueryEscape(secretAccessKey),
		SessionToken: url.QueryEscape(sessionToken),
	}

	return &credentials, StatusResponse.SuccessStatusResponse()
}

When I try to access the APIs I am getting selection time out error.

I have tried using the mongodb URI with cluster user and password but still getting the selection timeout error.

Please let me know how should I proceed further.

I have added the 0.0.0.0 IP to whitelist it is working fine, but I don't want to compromise on the security with giving access to all the IPs. I want to secure the access only to the particular ebs environment. If someone can guide me through the steps that will be helpful.

Thanks in advance.

2 Answers
0

Hello.

Is mongodb atlas running on EC2 or something like that?
In that case, I think you can connect by allowing the ElasitcBeanstalk security group as a source in the security group's inbound rules.
https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thanks for quick response. According to our project requirement we need to go with IAM roles but not with IP address and VPC peering. Kindly suggest me the procedure for IAM role configurations for accessing the mongodb atlas from elastic beanstalk environment.

0

If your using mongodb ATLAS and your adding 0.0.0.0 is sounds like your using the public facing ATLAS and have not/are not using the VPC Peering or Private endpoint connection method.

With Peering you can add a security group on the Atlas side to allow connections via a specific SG etc

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions