Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-4234

Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS

    • 5
    • Hide

      DRIVERS-2280:

      • Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state.
      • Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty aws: {}, attempt to obtain AWS credentials following the logic of Obtaining Credentials (excluding the URI section). Pass the new credentials back with mongocrypt_ctx_provide_kms_providers.
      • A new CSFLE prose test is introduced in 5cf3ed7.

      Please see the C driver implementation as a reference. Note: the C driver also supports a user-provided callback for KMS providers. That is not in scope of DRIVERS-2280.

      Show
      DRIVERS-2280 : Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty aws: { }, attempt to obtain AWS credentials following the logic of Obtaining Credentials (excluding the URI section). Pass the new credentials back with mongocrypt_ctx_provide_kms_providers . A new CSFLE prose test is introduced in 5cf3ed7 . Please see the C driver implementation as a reference . Note: the C driver also supports a user-provided callback for KMS providers. That is not in scope of DRIVERS-2280 .
    • Not Needed
    • Needed

      This ticket was split from DRIVERS-2280, please see that ticket for a detailed description.

      • Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. This is already implemented in the libmongocrypt Node bindings.
      • Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. (The Node state machine already has this case) If the originally configured KMS providers have an empty aws: {}, attempt to obtain AWS credentials following the logic of Obtaining Credentials (excluding the URI section) if the existing user provided callback doesn't fill them out. Pass the new credentials back with mongocrypt_ctx_provide_kms_providers
      • Write integration tests in the driver that test that the AWS credentials can be found and used.

      Please see the C driver implementation as a reference. Note: the C driver also supports a user-provided callback for KMS providers. That is not in scope of DRIVERS-2280.

            Assignee:
            durran.jordan@mongodb.com Durran Jordan
            Reporter:
            dbeng-pm-bot PM Bot
            Neal Beeken
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: