-
Type: New Feature
-
Resolution: Done
-
Priority: Unknown
-
None
-
Component/s: Client Side Encryption
-
None
-
Needed
-
Summary
Currently, for MONGODB-AWS authentication mechanism the driver obtains the credentials according to the rules specified in https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#obtaining-credentials. In addition, there is a high priority feature request to obtain credentials from an application-provided callback (see DRIVERS-2011).
With CSFLE, in contrast, AWS credentials must be provided explicitly via the kmsProviders property of AutoEncryptionSettings or ClientEncryptionSettings.
This feature will add equivalent support in CSFLE as is already provided for MONGODB-AWS.
Motivation
Who is the affected end user?
Developer and security teams of enterprise customers.
How does this affect the end user?
There is a workaround, but it's onerous, as it involves recreating MongoClient instances before credentials expire.
How likely is it that this problem or use case will occur?
This is very likely to be an issue for users of client-side encryption.
If the problem does occur, what are the consequences and how severe are they?
They will be unable or at least unwilling to use client-side encryption in production.
Is this issue urgent?
It was certainly urgent for the initial customer that encountered this issue.
Is this ticket required by a downstream team?
No
Is this ticket only for tests?
No
- is duplicated by
-
DRIVERS-2179 Add support for updating expired AWS KMS temporary access credentials using assumed roles in FLE
- Closed
- related to
-
JAVA-4499 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Released
-
DRIVERS-2011 On-demand callback for AWS credentials
- Closed
-
DRIVERS-2377 Add support for GCP attached service accounts when using GCP KMS
- Closed
- split to
-
JAVA-4604 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
CDRIVER-4382 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
CSHARP-4168 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
CXX-2508 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
GODRIVER-2410 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
MOTOR-959 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
NODE-4234 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
PYTHON-3256 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
RUBY-2989 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
RUST-1314 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
-
PHPLIB-866 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed