Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-540

Update Shell FLE to support gcp azure kms

XMLWordPrintableJSON

    • Type: Icon: New Feature New Feature
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 0.8.0
    • Affects Version/s: None
    • Component/s: Shell API
    • None
    • 1
    • Iteration Tangerine, Iteration Uglifruit, Iteration Vegetable
    • Needed
    • Hide

      The KeyVault.createKey() method accepts the following signature, which differs from what is currently supported in the old shell:

      KeyVault.createKey(keyManagementService, customerMasterKey, ["keyAltName"])

      Where the calls for the different KMS look like this:

      KeyVault.createKey('local') or
      KeyVault.createKey('local', ['keyAltName', ...])
      KeyVault.createKey('aws',

      { region: ..., key: ..., [...] }

      )
      KeyVault.createKey('gcp',

      { projectId: ..., location: ..., keyRing: ..., keyName: ..., [...] }

      )
      keyVault.createKey('azure',

      { keyName: ..., keyVaultEndpoint: ..., [...] }

      )

      The full list of options, as well as their types and descriptions, can be found here: https://github.com/mongodb/libmongocrypt/blob/8a7db4aa932ff9b1d74a95757a6d4d7d8b606932/bindings/node/index.d.ts#L142-L215

      Unlike in the old shell, the second argument to KeyVault.createKey() cannot be a string.

      The Mongo() constructor also takes additional values for the `kmsProvider` option:

      Mongo(..., {
      kmsProvider:

      { local: ..., aws: ..., gcp: ..., azure: ... }

      })

      where the full list of possible subfields of `kmsProvider` and their types and descriptions can be found in https://github.com/mongodb/libmongocrypt/blob/8a7db4aa932ff9b1d74a95757a6d4d7d8b606932/bindings/node/index.d.ts#L36-L120. For a KMS of 'local', passing in a `BinData`/`Binary` object rather than a `Buffer` remains supported, as in the old shell.

      Show
      The KeyVault.createKey() method accepts the following signature, which differs from what is currently supported in the old shell: KeyVault.createKey(keyManagementService, customerMasterKey, ["keyAltName"] ) Where the calls for the different KMS look like this: KeyVault.createKey('local') or KeyVault.createKey('local', ['keyAltName', ...] ) KeyVault.createKey('aws', { region: ..., key: ..., [...] } ) KeyVault.createKey('gcp', { projectId: ..., location: ..., keyRing: ..., keyName: ..., [...] } ) keyVault.createKey('azure', { keyName: ..., keyVaultEndpoint: ..., [...] } ) The full list of options, as well as their types and descriptions, can be found here: https://github.com/mongodb/libmongocrypt/blob/8a7db4aa932ff9b1d74a95757a6d4d7d8b606932/bindings/node/index.d.ts#L142-L215 Unlike in the old shell, the second argument to KeyVault.createKey() cannot be a string. The Mongo() constructor also takes additional values for the `kmsProvider` option: Mongo(..., { kmsProvider: { local: ..., aws: ..., gcp: ..., azure: ... } }) where the full list of possible subfields of `kmsProvider` and their types and descriptions can be found in https://github.com/mongodb/libmongocrypt/blob/8a7db4aa932ff9b1d74a95757a6d4d7d8b606932/bindings/node/index.d.ts#L36-L120 . For a KMS of 'local', passing in a `BinData`/`Binary` object rather than a `Buffer` remains supported, as in the old shell.

          Assignee:
          michael.rose@mongodb.com Michael Rose (Inactive)
          Reporter:
          anna.herlihy@mongodb.com Anna Herlihy (Inactive)
          Votes:
          0 Vote for this issue
          Watchers:
          2 Start watching this issue

            Created:
            Updated:
            Resolved: