diff --git a/.evergreen/auth_oidc/README.md b/.evergreen/auth_oidc/README.md index 234f997e..efddc120 100644 --- a/.evergreen/auth_oidc/README.md +++ b/.evergreen/auth_oidc/README.md @@ -33,7 +33,7 @@ Use the `oidc_get_tokens.sh` script to create a set of OIDC tokens in a temporar ```bash source ./oidc_get_tokens.sh -AWS_WEB_IDENTITY_TOKEN_FILE="$OIDC_TOKEN_DIR/test_user1" /my/test/command +OIDC_TOKEN_FILE="$OIDC_TOKEN_DIR/test_user1" /my/test/command ``` ## Local Server Testing @@ -69,7 +69,7 @@ You can then run mongo orchestration with `TOPOLOGY=replicaset` and `ORCHESTRATI To set up the server auth roles, run `mongosh setup_oidc.js`. -Then, tests can be run against the server. Set `AWS_WEB_IDENTITY_TOKEN_FILE` to either `$OIDC_TOKEN_DIR/test_user1` or `$OIDC_TOKEN_DIR/test_user2` as desired. +Then, tests can be run against the server. Set `OIDC_TOKEN_FILE` to either `$OIDC_TOKEN_DIR/test_user1` or `$OIDC_TOKEN_DIR/test_user2` as desired. The token in `$OIDC_TOKEN_DIR/test_user1_expires` can be used to test expired credentials. diff --git a/.evergreen/auth_oidc/azure/README.md b/.evergreen/auth_oidc/azure/README.md index 52dcad22..b6d1f0ee 100644 --- a/.evergreen/auth_oidc/azure/README.md +++ b/.evergreen/auth_oidc/azure/README.md @@ -54,12 +54,12 @@ export AZUREOIDC_TEST_CMD="source ./env.sh && OIDC_PROVIDER_NAME=azure ./.evergr bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh ``` -In your tests, you can use the environment variables in `env.sh` to define the `username` and `TOKEN_AUDIENCE` +In your tests, you can use the environment variables in `env.sh` to define the `username` and `TOKEN_RESOURCE` auth mechanism property, e.g. ```python username=os.environ["AZUREOIDC_USERNAME"] -TOKEN_AUDIENCE=os.environ["AZUREOIDC_AUDIENCE"] +TOKEN_RESOURCE=os.environ["AZUREOIDC_RESOURCE"] ``` Finally, we tear down the vm: @@ -103,7 +103,7 @@ Below is an explananion of the environment variables stored in the Azure key vau - AZUREOIDC_AUTHPREFIX - The auth prefix used for DB user and role names. - AZUREOIDC_AUTHCLAIM - The object ID of the Azure Group, used in the DB role name. - AZUREOIDC_USERNAME - The Object (principal) ID of the Azure Manager Identity, used for the `username`. -- AZUREOIDC_AUDIENCE - The escaped Application ID URI to use in the `TOKEN_AUDIENCE` auth mechanism property. +- AZUREOIDC_RESOURCE - The escaped Application ID URI to use in the `TOKEN_RESOURCE` auth mechanism property. - AZUREOIDC_CLIENTID - The client ID of the Azure App registration, used to generate the unescaped Application ID URI. - AZUREOIDC_TENANTID - The tenant ID of the Azure App registration, used to derive the `issuer` URI. - AZUREKMS_IDENTITY - A space separated string with the Resource ID of the managed identity (`/subscriptions/...`). Used to assign the identity to the VM. diff --git a/.evergreen/auth_oidc/azure/handle_secrets.py b/.evergreen/auth_oidc/azure/handle_secrets.py index c93f5409..7106448b 100644 --- a/.evergreen/auth_oidc/azure/handle_secrets.py +++ b/.evergreen/auth_oidc/azure/handle_secrets.py @@ -41,7 +41,7 @@ def main(): fid.write(f'export AZUREOIDC_AUTHPREFIX={secrets["AUTHPREFIX"]}\n') fid.write(f'export AZUREKMS_IDENTITY="{secrets["IDENTITY"]}"\n') fid.write(f'export AZUREOIDC_USERNAME="{secrets["USERNAME"]}"\n') - fid.write(f'export AZUREOIDC_AUDIENCE="{secrets["AUDIENCE"]}"\n') + fid.write(f'export AZUREOIDC_RESOURCE="{secrets["AUDIENCE"]}"\n') if os.path.exists(private_key_file): os.remove(private_key_file)