-
Type: Improvement
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
To reproduce (code snippet using Ruby binding):
mongocrypt = Mongo::Crypt::Binding.mongocrypt_new # Set crypto hooks if you're using a no-crypto version Mongo::Crypt::Binding.mongocrypt_setopt_kms_provider_aws(mongocrypt, "", -1, "", -1) Mongo::Crypt::Binding.mongocrypt_init(mongocrypt) ctx = Mongo::Crypt::Binding.mongocrypt_ctx_new(mongocrypt) Mongo::Crypt::Binding.mongocrypt_ctx_setopt_masterkey_aws(ctx, "region", -1, "arn", -1) result = Mongo::Crypt::Binding.mongocrypt_ctx_datakey_init(ctx) # => false status = Mongo::Crypt::Binding.mongocrypt_status_new Mongo::Crypt::Binding.mongocrypt_ctx_status(ctx, status) print Mongo::Crypt::Binding.mongocrypt_status_message(status, nil) # => failed to create KMS message
In this case, the issue is that the AWS credentials provided are empty, but the error isn't discovered until you attempt to initialize the context, and the error message is extremely vague.
I could think of improving this in two ways:
- Have mongocrypt_setopt_kms_provider_aws to error if either the key or secret are empty
- Improve the error message that is returned when trying to initialize the context to make it clear that the issue is with the AWS credentials.
- related to
-
MONGOCRYPT-257 KMS request error message should include information about what failed
- Closed