-
Type:
Improvement
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: 5.2.1, 5.3.1, 5.4.0, 5.5.1
-
Component/s: Client Side Encryption
-
None
-
None
-
Java Drivers
-
None
-
None
-
None
-
None
-
None
-
None
When Client Side Field Level Encryption is enabled for a java spring-boot service running on Azure AKS using Azure Key Vault as the KMS, when the underlying cluster has multiple User Assigned Managed Identities and no System Assigned Managed Identity, the requests to IMDS from the com.mongodb.internal.authentication.AzureCredentialHelper.fetchAzureCredentialInfo() method fail with a 400.
It would be convenient to add a provision to supply the client_id via an environment variable (eg AZURE_CLIENT_ID) that this class can check and use when making the IMDS request.
The following line in the obtainFromEnvironment() method..
fetchAzureCredentialInfo("https://vault.azure.net", null);
could be replaced with something like:
String clientId = System.getenv("AZURE_CLIENT_ID"); CredentialInfo response = fetchAzureCredentialInfo("https://vault.azure.net", clientId);
This would give the flexibility to the application owners to specify the user managed identity to use.