-
Type:
New Feature
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: C library
-
None
Background & Motivation
KMS credentials are set on a mongocrypt_t with mongocrypt_setopt_kms_providers.
Once set, the KMS credentials cannot be changed for the lifetime of the mongocrypt_t.
This poses a problem for users wanting to use temporary credentials that may expire. There is no way to update the credentials on a mongocrypt_t
Here is an example of getting AWS temporary credentials and using them with Go driver for CSFLE.
Scope
- Add a new state, MONGOCRYPT_CTX_NEED_CREDENTIALS.
- Rationale: Refreshing credentials may require I/O from the wrapping driver. For async drivers, a mongocrypt_ctx_t entering a new state allows the async driver to schedule an async routine.
- Add a new function on mongocrypt_ctx_t to provide credentials.
- If a mongocrypt_ctx_t enters the state MONGOCRYPT_CTX_NEED_CREDENTIALS, the driver may call a new function on the mongocrypt_ctx_t to provide credentials.
- This can override credentials set in the mongocrypt_t.
- Add a new function on mongocrypt_t to opt in to the new behavior.
- Rationale: The new state requires bindings updates. Making this opt-in will not break existing drivers.
- is depended on by
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
MONGOCRYPT-393 Support on-demand credentials in Java binding
-
- Closed
-
- related to
-
MONGOCRYPT-428 mongocrypt_ctx_provide_kms_providers missing MONGOCRYPT_EXPORT
-
- Closed
-
-
DRIVERS-2017 Add ClientEncryption entity and Key Management API operations to Unified Test Format
-
- Closed
-