Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2280

Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS

XMLWordPrintableJSON

    • Type: Icon: New Feature New Feature
    • Resolution: Done
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Client Side Encryption
    • Labels:
      None
    • Needed
    • Hide
      • Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state.
      • Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty aws: {}, attempt to obtain AWS credentials following the logic of Obtaining Credentials (excluding the URI section). Pass the new credentials back with mongocrypt_ctx_provide_kms_providers.
      • A new CSFLE prose test is introduced in 5cf3ed7.

      Please see the C driver implementation as a reference. Note: the C driver also supports a user-provided callback for KMS providers. That is not in scope of DRIVERS-2280.

      Show
      Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty aws: { }, attempt to obtain AWS credentials following the logic of Obtaining Credentials (excluding the URI section). Pass the new credentials back with mongocrypt_ctx_provide_kms_providers . A new CSFLE prose test is introduced in 5cf3ed7 . Please see the C driver implementation as a reference . Note: the C driver also supports a user-provided callback for KMS providers. That is not in scope of DRIVERS-2280 .
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-4382 Done 1.23.0
      CXX-2508 Works as Designed 3.8.0
      CSHARP-4168 Fixed 2.18.0
      GODRIVER-2410 Fixed 1.12.0, 1.12.0-alpha1
      JAVA-4604 Duplicate
      NODE-4234 Fixed 4.11.0, mongodb-client-encryption-2.4.0
      MOTOR-959 Won't Do
      PYTHON-3256 Fixed pymongocrypt-1.4, 4.3.3
      PHPLIB-866 Fixed 1.16.0
      RUBY-2989 Fixed 2.19.0
      RUST-1314 Fixed 2.4.0
      SWIFT-1564 Won't Do
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4382 Done 1.23.0 CXX-2508 Works as Designed 3.8.0 CSHARP-4168 Fixed 2.18.0 GODRIVER-2410 Fixed 1.12.0, 1.12.0-alpha1 JAVA-4604 Duplicate NODE-4234 Fixed 4.11.0, mongodb-client-encryption-2.4.0 MOTOR-959 Won't Do PYTHON-3256 Fixed pymongocrypt-1.4, 4.3.3 PHPLIB-866 Fixed 1.16.0 RUBY-2989 Fixed 2.19.0 RUST-1314 Fixed 2.4.0 SWIFT-1564 Won't Do

      Summary

      Currently, for MONGODB-AWS authentication mechanism the driver obtains the credentials according to the rules specified in https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#obtaining-credentials. In addition, there is a high priority feature request to obtain credentials from an application-provided callback (see DRIVERS-2011).

      With CSFLE, in contrast, AWS credentials must be provided explicitly via the kmsProviders property of AutoEncryptionSettings or ClientEncryptionSettings.

      This feature will add equivalent support in CSFLE as is already provided for MONGODB-AWS.

      Motivation

      Who is the affected end user?

      Developer and security teams of enterprise customers.

      How does this affect the end user?

      There is a workaround, but it's onerous, as it involves recreating MongoClient instances before credentials expire.

      How likely is it that this problem or use case will occur?

      This is very likely to be an issue for users of client-side encryption.

      If the problem does occur, what are the consequences and how severe are they?

      They will be unable or at least unwilling to use client-side encryption in production.

      Is this issue urgent?

      It was certainly urgent for the initial customer that encountered this issue.

      Is this ticket required by a downstream team?

      No

      Is this ticket only for tests?

      No

            Assignee:
            Unassigned Unassigned
            Reporter:
            jeff.yemin@mongodb.com Jeffrey Yemin
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: