-
Type: New Feature
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: C library
-
None
Background & Motivation
KMS credentials are set on a mongocrypt_t with mongocrypt_setopt_kms_providers.
Once set, the KMS credentials cannot be changed for the lifetime of the mongocrypt_t.
This poses a problem for users wanting to use temporary credentials that may expire. There is no way to update the credentials on a mongocrypt_t
Here is an example of getting AWS temporary credentials and using them with Go driver for CSFLE.
Scope
- Add a new state, MONGOCRYPT_CTX_NEED_CREDENTIALS.
- Rationale: Refreshing credentials may require I/O from the wrapping driver. For async drivers, a mongocrypt_ctx_t entering a new state allows the async driver to schedule an async routine.
- Add a new function on mongocrypt_ctx_t to provide credentials.
- If a mongocrypt_ctx_t enters the state MONGOCRYPT_CTX_NEED_CREDENTIALS, the driver may call a new function on the mongocrypt_ctx_t to provide credentials.
- This can override credentials set in the mongocrypt_t.
- Add a new function on mongocrypt_t to opt in to the new behavior.
- Rationale: The new state requires bindings updates. Making this opt-in will not break existing drivers.
- is depended on by
-
DRIVERS-2179 Add support for updating expired AWS KMS temporary access credentials using assumed roles in FLE
- Closed
-
JAVA-4503 Integrate with libmongocrypt callback to obtain credentials from the environment
- Closed
-
JAVA-4504 Support AWS credential supplier for client side encryption
- Closed
-
MONGOCRYPT-393 Support on-demand credentials in Java binding
- Closed
- related to
-
MONGOCRYPT-428 mongocrypt_ctx_provide_kms_providers missing MONGOCRYPT_EXPORT
- Closed
-
DRIVERS-2017 Add ClientEncryption entity and Key Management API operations to Unified Test Format
- Closed