Uploaded image for project: 'Percona Operator for MongoDB'
  1. Percona Operator for MongoDB
  2. K8SPSMDB-185

s3 backup credentials for cloud deployments (AWS)


    • New Feature
    • Status: Done
    • Medium
    • Resolution: Fixed
    • 1.3.0
    • 1.12.0
    • None
    • operator version 1.3.0 deployed on AWS EKS. 5 mongo clusters in the same namespace.

    • Yes


        There are different ways of getting AWS credentials from inside AWS. The most preferable and secure is using instance_profile for ec2 or  IAM Roles for Service Accounts (kube2iam or kiam) for k8s. The idea is as simple as getting temporary credentials form aws sts service and renew the keys as the time goes. The only business for a user is to create a proper policy with resource permissions and attach it to a role that is attached to instance_profile or k8s service account. So the idea is: no hardcoded or predefined key!

      Percona mongo operator now have this:

      if storageSpec.S3.CredentialsSecret == "" {
            return nil, fmt.Errorf("no credentials specified for the secret name %s", storageName)

      If no Credentials set - return an error.


      it would be nice to have the option not to set the credentials if the mongo cluster is run on AWS (operator checks or an extra field in CRD). In case there is no credentials set and the environment is AWS - ask STS for credentials with further updates.




            ege.gunes Ege Gunes
            Pluha Oleksii
            1 Vote for this issue
            6 Start watching this issue



              Smart Checklist