Is it possible to pass AWS VPC endpoints to overwrite the default ones


We are running a MongoDB cluster in a series of AWS private subnets that don’t have a NAT gateway.

This was all working as expected until we decided to introduce the AWS IAM MongoDB authentication. We’ve noticed that MongoDB needs to communicate with AWS in order to figure out if a particular client can access a database or not, which is something that now we cannot do (it times out when trying to authenticate a request).

Now, we’ve created a VPC endpoint that let us communicate with STS through this private subnet, which works fine.
The issues now is that it seems that we cannot provide this to the mongod cli.
We’ve tried passing the AWS_DEFAULT_STS_HOST environment variable set to said endpoint, but we didn’t have luck.

Is there any way to do this? Or it’s something Percona is not supporting just yet.

Hi Victor,

Did you follow the steps outlined in this document?


I did.

Our setup works fine as long as we open the private network that mongo uses to the internet.
We don’t want to do that, we want to have a vpc endpoint and mongo to connect to STS via that endpoint.
After having a look at the codebase, it seems that that is not possible as there’s not way we can overwrite the default sts host.

We just want to have a confirmation on that really, see if we can actually pass our own VPC endpoint as STS host.

I think in our case, we would just need to be able to specify the default region, another thing that I’m not sure we can do.