We are running a MongoDB cluster in a series of AWS private subnets that don’t have a NAT gateway.
This was all working as expected until we decided to introduce the AWS IAM MongoDB authentication. We’ve noticed that MongoDB needs to communicate with AWS in order to figure out if a particular client can access a database or not, which is something that now we cannot do (it times out when trying to authenticate a request).
Now, we’ve created a VPC endpoint that let us communicate with STS through this private subnet, which works fine. The issues now is that it seems that we cannot provide this to the mongod cli. We’ve tried passing the AWS_DEFAULT_STS_HOST environment variable set to said endpoint, but we didn’t have luck, possibly because it seems that the default STS host cannot be changed.
Is there any way to do this? Or it’s something Percona is not supporting just yet.