Uploaded image for project: 'C++ Driver'
  1. C++ Driver
  2. CXX-2551

Add support for GCP attached service accounts when using GCP KMS

    • Type: Icon: Improvement Improvement
    • Resolution: Works as Designed
    • Priority: Icon: Major - P3 Major - P3
    • 3.8.0
    • Affects Version/s: None
    • Component/s: Client Side Encryption
    • None
    • Hide

      DRIVERS-2377:
      Summary of required changes

      • Upgrade dependency on libmongocrypt to 1.6.0 or higher. Binaries for 1.6.0 are available on the upload-all task.
      • Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state.
      • Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty gcp: {}, attempt to obtain GCP credentials by sending an HTTP request described in the specification. Pass the new credentials back with mongocrypt_ctx_provide_kms_providers.
      • Add an integration test with a Google Compute Engine (GCE) instance. Get credentials from DRIVERS-2377 test credentials.

      Additional background

      Please see https://github.com/mongodb/specifications/commit/847d9ba741201f9c9d1305831a9c60e8ab2a1544 for the specification change.

      Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237 for a reference implementation in Go.

      Consider using the mock server for local development to test the HTTP request to the Metadata Server.

      GCP access token is not cached. See the scope for rationale.

      Integration test

      Drivers are expected to run an integration test with a temporary Google Compute Engine instance. Scripts in the drivers-evergreen-tools .evergreen/csfle/gcpkms directory may be used.

      To test, add an Evergreen task group to do the following:

      • Create a GCE instance in a setup_group.
      • Destroy the GCE instance in a teardown_group. Using a teardown_group will destroy the instance if the task fails.

      Add a task in the task group to do the following:

      • Build and copy files to the remote GCE instance.
      • Install necessary dependencies on the remote GCE instance.
      • Run the test remotely.

      Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237#diff-2bc841e86ce96b7b422ae203fd8315d0b2a461956cecbe0e096420656fc3fb12R2248 for a reference implementation of the integration test in Go.

      It may be helpful to refer to driver tests for MONGODB-AWS ECS. The ECS tests perform a similar flow (copying and running a test on a remote ECS instance).

      Show
      DRIVERS-2377 : Summary of required changes Upgrade dependency on libmongocrypt to 1.6.0 or higher. Binaries for 1.6.0 are available on the upload-all task . Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty gcp: { }, attempt to obtain GCP credentials by sending an HTTP request described in the specification. Pass the new credentials back with mongocrypt_ctx_provide_kms_providers . Add an integration test with a Google Compute Engine (GCE) instance. Get credentials from DRIVERS-2377 test credentials . Additional background Please see https://github.com/mongodb/specifications/commit/847d9ba741201f9c9d1305831a9c60e8ab2a1544 for the specification change. Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237 for a reference implementation in Go. Consider using the mock server for local development to test the HTTP request to the Metadata Server. GCP access token is not cached. See the scope for rationale. Integration test Drivers are expected to run an integration test with a temporary Google Compute Engine instance. Scripts in the drivers-evergreen-tools .evergreen/csfle/gcpkms directory may be used. To test, add an Evergreen task group to do the following: Create a GCE instance in a setup_group . Destroy the GCE instance in a teardown_group . Using a teardown_group will destroy the instance if the task fails. Add a task in the task group to do the following: Build and copy files to the remote GCE instance. Install necessary dependencies on the remote GCE instance. Run the test remotely. Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237#diff-2bc841e86ce96b7b422ae203fd8315d0b2a461956cecbe0e096420656fc3fb12R2248 for a reference implementation of the integration test in Go. It may be helpful to refer to driver tests for MONGODB-AWS ECS . The ECS tests perform a similar flow (copying and running a test on a remote ECS instance).

      This ticket was split from DRIVERS-2377, please see that ticket for a detailed description.

            Assignee:
            colby.pike@mongodb.com Colby Pike
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: