-
Type: Improvement
-
Resolution: Done
-
Priority: Major - P3
-
None
-
Component/s: Client Side Encryption
We have a customer on GCP, who is trying to use GCP KMS for the CMK and we require a service account key, where an email and privateKey is provided for the service account, in order to use the GCP KMS API. They are using an attached service account according to GCP best practices which says "Use attached service accounts when possible. For applications deployed on Google Cloud that need to use a service account, attach the service account to the underlying compute resource. By attaching a service account, you enable the application to obtain tokens for the service account and to use these tokens to access Google Cloud APIs and resources." and it also says "Use service account keys only if there is no viable alternative". Google even displays the warning "Service account keys could pose a security risk if compromised" when creating a key for a service account.
The customer is requesting that we follow GCP best practices and when using an "attached" service account, that we skip/bypass the email and privateKey that is used for authentication and just access the GCP KMS API directly.
For reference https://cloud.google.com/iam/docs/best-practices-for-using-and-managing-service-accounts#use-attached-service-accounts
The customer is running on CloudRun and sometimes Compute Engine on GCP so use attached service accounts. Their service accounts do not have user accessible keys on them.
The customer is using the MongoDB C#/.NET driver on Linux.
During local development they use an environment variable GOOGLE_APPLICATION_CREDENTIALS that if you point it to a local service account file (purely for development purposes) that means the Google libraries behave exactly the same as when deployed in a attached service account environment.
- depends on
-
MONGOCRYPT-461 Support `accessToken` for `gcp` KMS provider
- Closed
- is depended on by
-
GODRIVER-2375 Support automatic Authentication for GCloud KMS
- Closed
- is related to
-
DRIVERS-2280 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS
- Closed
- related to
-
GODRIVER-2415 KMSProvider for GCP does not accept access_token for the service account email
- Closed
-
DRIVERS-2924 Document "accessToken" form of KMS providers
- Backlog
- split to
-
JAVA-4685 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
CDRIVER-4435 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
CSHARP-4266 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
CXX-2551 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
GODRIVER-2501 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
MOTOR-999 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
NODE-4462 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
PHPLIB-917 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
PYTHON-3367 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
RUBY-3062 Add support for GCP attached service accounts when using GCP KMS
- Closed
-
RUST-1417 Add support for GCP attached service accounts when using GCP KMS
- Closed