Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-4706

Support the Azure VM-assigned managed identity for automatic KMS credentials

XMLWordPrintableJSON

    • Type: Icon: New Feature New Feature
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.8.0
    • Affects Version/s: None
    • Component/s: Client Side Encryption
    • Labels:
      None
    • Hide

      DRIVERS-2411:
      Implementation

      libmongocrypt 1.6.0 or higher is required. Binaries for 1.6.0 are available on the upload-all task.

      The spec changes introduce another method of obtaining KMS credentials automatically, much like with GCP and AWS:

      • When kmsProviders contains an empty azure property, it indicates a request for automatic Azure credentials.
      • To obtain credentials, issue an HTTP request to the Azure Instance Metadata Service (IMDS).
      • IMDS will issue an accessToken that can be used to query the Azure Key Vault (if the instance has sufficient permissions).
      • Additionally, this version of auto-KMS credentials institutes a token caching requirement.

      The associated spec changes are specified here: https://github.com/mongodb/specifications/commit/d6b8cce6abb3b8e1a0b8f1dc7ee737e18322cfce

      The initial implementation for the C driver is here: https://github.com/mongodb/mongo-c-driver/commit/686bff81f565f93db83d99902ce1c3a6f89922c7

      Mock server tests

      Mock server tests specified here:
      https://github.com/mongodb/specifications/commit/e780e91d708fe9c004a0b0023387baa850282881

      The mock server is available here: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/fake_azure.py

      Please see https://github.com/mongodb/mongo-c-driver/commit/671a15154f0dd0e4af3c8df2ac08dfe4acf01795#diff-d353a218f6d4ac77dfb35cc757a96af121a9ce1d3cf7b01535fa23e6d0c58016R98 for a reference implementation of the mock server tests in C.

      Integration tests

      Integration tests are specified here:
      https://github.com/mongodb/specifications/commit/cf778cb8add04c0c6d8f366e6352f3d0ac9c1694

      Scripts in the drivers-evergreen-tools .evergreen/csfle/azurekms directory may be used to create the temporary Azure Virtual Machine. Get credentials from DRIVERS-2411 Test Credentials.

      To test, add an Evergreen task group to do the following:

      • Create an Azure VM instance in a setup_group.
      • Destroy the Azure VM instance in a teardown_group. Using a teardown_group will destroy the instance if the task fails.

      Add a task in the task group to do the following:

      • Build and copy files to the remote Azure VM.
      • Install necessary dependencies on the remote Azure VM instance.
      • Run the test remotely.

      Please see https://github.com/mongodb/mongo-c-driver/pull/1124 and https://github.com/mongodb/mongo-c-driver/pull/1234/ for a reference implementation of the integration tests in C.

      It may be helpful to refer to driver tests for MONGODB-AWS ECS. The ECS tests perform a similar flow (copying and running a test on a remote ECS instance).

      Show
      DRIVERS-2411 : Implementation libmongocrypt 1.6.0 or higher is required. Binaries for 1.6.0 are available on the upload-all task . The spec changes introduce another method of obtaining KMS credentials automatically, much like with GCP and AWS: When kmsProviders contains an empty azure property, it indicates a request for automatic Azure credentials. To obtain credentials, issue an HTTP request to the Azure Instance Metadata Service (IMDS). IMDS will issue an accessToken that can be used to query the Azure Key Vault (if the instance has sufficient permissions). Additionally, this version of auto-KMS credentials institutes a token caching requirement. The associated spec changes are specified here: https://github.com/mongodb/specifications/commit/d6b8cce6abb3b8e1a0b8f1dc7ee737e18322cfce The initial implementation for the C driver is here: https://github.com/mongodb/mongo-c-driver/commit/686bff81f565f93db83d99902ce1c3a6f89922c7 Mock server tests Mock server tests specified here: https://github.com/mongodb/specifications/commit/e780e91d708fe9c004a0b0023387baa850282881 The mock server is available here: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/fake_azure.py Please see https://github.com/mongodb/mongo-c-driver/commit/671a15154f0dd0e4af3c8df2ac08dfe4acf01795#diff-d353a218f6d4ac77dfb35cc757a96af121a9ce1d3cf7b01535fa23e6d0c58016R98 for a reference implementation of the mock server tests in C. Integration tests Integration tests are specified here: https://github.com/mongodb/specifications/commit/cf778cb8add04c0c6d8f366e6352f3d0ac9c1694 Scripts in the drivers-evergreen-tools .evergreen/csfle/azurekms directory may be used to create the temporary Azure Virtual Machine. Get credentials from DRIVERS-2411 Test Credentials . To test, add an Evergreen task group to do the following: Create an Azure VM instance in a setup_group . Destroy the Azure VM instance in a teardown_group . Using a teardown_group will destroy the instance if the task fails. Add a task in the task group to do the following: Build and copy files to the remote Azure VM. Install necessary dependencies on the remote Azure VM instance. Run the test remotely. Please see https://github.com/mongodb/mongo-c-driver/pull/1124 and https://github.com/mongodb/mongo-c-driver/pull/1234/  for a reference implementation of the integration tests in C. It may be helpful to refer to driver tests for MONGODB-AWS ECS . The ECS tests perform a similar flow (copying and running a test on a remote ECS instance).
    • Fully Compatible
    • Needed

      This ticket was split from DRIVERS-2411, please see that ticket for a detailed description.

            Assignee:
            jeff.yemin@mongodb.com Jeffrey Yemin
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: