PYTHON-3912 Migrate Enterprise Auth Tests to AWS Secrets Vault (#1356)

Author: NoahStapp

.evergreen/config.yml

@@ -511,31 +511,23 @@ functions:
             bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m test-eg
 
   "run enterprise auth tests":
-    - command: shell.exec
-      type: test
+    - command: ec2.assume_role
       params:
-        silent: true
-        working_dir: "src"
-        script: |
-          cat <<EOT > prepare_enterprise_auth.sh
-          export SASL_HOST='${sasl_host}'
-          export SASL_PORT='${sasl_port}'
-          export SASL_USER='${sasl_user}'
-          export SASL_PASS='${sasl_pass}'
-          export SASL_DB='${sasl_db}'
-          export PRINCIPAL='${principal}'
-          export GSSAPI_DB='${gssapi_db}'
-          export KEYTAB_BASE64='${keytab_base64}'
-          EOT
+        role_arn: ${aws_test_secrets_role}
     - command: shell.exec
       type: test
       params:
         working_dir: "src"
         script: |
-          # Disable xtrace (just in case it was accidentally set).
+          # Disable xtrace for security reasons (just in case it was accidentally set).
           set +x
-          . ./prepare_enterprise_auth.sh
-          rm -f ./prepare_enterprise_auth.sh
+
+          DRIVERS_TOOLS="${DRIVERS_TOOLS}" \
+            AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
+            AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
+            AWS_SESSION_TOKEN="${AWS_SESSION_TOKEN}" \
+            bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m aws-secrets -- drivers/enterprise_auth
+
           PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
             PYTHON_BINARY="${PYTHON_BINARY}" \
             TEST_ENTERPRISE_AUTH=1 \
@@ -549,16 +541,21 @@ functions:
     - command: shell.exec
       type: test
       params:
-        add_expansions_to_env: true
         working_dir: "src"
         script: |
           # Disable xtrace for security reasons (just in case it was accidentally set).
           set +x
-          set -o errexit
-          set -o xtrace
 
-          bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m aws-secrets -- drivers/atlas_connect
-          TEST_ATLAS=1 bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m test-eg
+          DRIVERS_TOOLS="${DRIVERS_TOOLS}" \
+            AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
+            AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
+            AWS_SESSION_TOKEN="${AWS_SESSION_TOKEN}" \
+            bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m aws-secrets -- drivers/atlas_connect
+
+          PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
+            PYTHON_BINARY="${PYTHON_BINARY}" \
+            TEST_ATLAS=1 \
+            bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m test-eg
 
   "add aws auth variables to file":
     - command: shell.exec

.evergreen/run-tests.sh

@@ -41,6 +41,11 @@ PYTHON=$(which python)
 
 python -c "import sys; sys.exit(sys.prefix == sys.base_prefix)" || (echo "Not inside a virtual env!"; exit 1)
 
+# Try to source exported AWS Secrets
+if [ -f ./secrets-export.sh ]; then
+  source ./secrets-export.sh
+fi
+
 if [ "$AUTH" != "noauth" ]; then
     if [ ! -z "$TEST_DATA_LAKE" ]; then
         export DB_USER="mhuser"
@@ -234,10 +239,6 @@ fi
 echo "Running $AUTH tests over $SSL with python $PYTHON"
 python -c 'import sys; print(sys.version)'
 
-# Try to source exported AWS Secrets
-if [ -f ./secrets-export.sh ]; then
-  source ./secrets-export.sh
-fi
 
 # Run the tests, and store the results in Evergreen compatible XUnit XML
 # files in the xunit-results/ directory.

.gitignore

@@ -17,7 +17,6 @@ mongocryptd.pid
 .idea/
 .nova/
 venv/
-secrets-expansion.yml
 secrets-export.sh
 
 # Lambda temp files

test/test_client.py

@@ -1758,6 +1758,9 @@ def _test_handshake(self, env_vars, expected_env):
             metadata = copy.deepcopy(_METADATA)
             if expected_env is not None:
                 metadata["env"] = expected_env
+
+                if "AWS_REGION" not in env_vars:
+                    os.environ["AWS_REGION"] = ""
             with rs_or_single_client(serverSelectionTimeoutMS=10000) as client:
                 client.admin.command("ping")
                 options = client._MongoClient__options