The KeyVault.createKey() method accepts the following signature, which differs from what is currently supported in the old shell: KeyVault.createKey(keyManagementService, customerMasterKey, ["keyAltName"] ) Where the calls for the different KMS look like this: KeyVault.createKey('local') or KeyVault.createKey('local', ['keyAltName', ...] ) KeyVault.createKey('aws', { region: ..., key: ..., [...] } ) KeyVault.createKey('gcp', { projectId: ..., location: ..., keyRing: ..., keyName: ..., [...] } ) keyVault.createKey('azure', { keyName: ..., keyVaultEndpoint: ..., [...] } ) The full list of options, as well as their types and descriptions, can be found here: https://github.com/mongodb/libmongocrypt/blob/8a7db4aa932ff9b1d74a95757a6d4d7d8b606932/bindings/node/index.d.ts#L142-L215 Unlike in the old shell, the second argument to KeyVault.createKey() cannot be a string. The Mongo() constructor also takes additional values for the `kmsProvider` option: Mongo(..., { kmsProvider: { local: ..., aws: ..., gcp: ..., azure: ... } }) where the full list of possible subfields of `kmsProvider` and their types and descriptions can be found in https://github.com/mongodb/libmongocrypt/blob/8a7db4aa932ff9b1d74a95757a6d4d7d8b606932/bindings/node/index.d.ts#L36-L120 . For a KMS of 'local', passing in a `BinData`/`Binary` object rather than a `Buffer` remains supported, as in the old shell.