IAM auth SSM timeout after one hour

Florian_Norbert_Bischoff · June 11, 2024, 6:01pm

We are using IAM auth to authenticate our lambda functions with Atlas. Due to security and compliance restrictions we need the lambda to perform an SSM call to assume the role that is added in Atlas as a DB user.

This works fine, but the SSM session is valid for one hour only. Sometimes we have hot lambdas, where the execution context is older than one hour, which results in an authentication error.

My question is: Currently the MongoDB node driver does not refresh the ssm session. Is this planned? If not: How can I catch the auth error on the client side in the driver to reconnect with fresh credentials? I tried adding the following event, but the data is never logged / the event handler never called:

client.on(“error”, async (e) => {
console.error(‘this.client.on(“error”’, e);
})

Matt_Collins2 · July 14, 2025, 9:11am

Hi - having a similar issue here. How did you resolve it in the end?

Florian_Norbert_Bischoff · July 14, 2025, 1:26pm

Monkey patched the mongodb driver and opened feature request withe Node driver team. Driver support for this is on the roadmap, but might take some time.

Matt_Collins2 · July 14, 2025, 2:00pm

Do you have a commit or other example of what you changed so that I can see it for myself?

It is a frustrating problem that’s for sure

Florian_Norbert_Bischoff · July 15, 2025, 3:22pm

@Matt_Collins2 Unfortunately, it is a proprietary project, so I can’t share a code snippet. But to provide some guidance: Basically you need to patch the mongodb/lib/cmap/auth/aws_temporary_credentials.js file. Override the getCredentials method to return a AWS credentials provider.