-
Type: Sub-task
-
Resolution: Fixed
-
Priority: Unknown
-
Affects Version/s: None
-
Component/s: None
The AWS credential fetching code is too permissive of the input options for setting up FLE. It checks for the falesiness of the aws property on kmsProviders, which could lead to an issue if a user is not using aws for their kms provider but do have the sdk installed for another use case. The library will pull in the SDK and attempt to fetch credentials, which in this scenario should fail since they are not using AWS for that.
This is a bug, although it will be a behavior change that we need to call out clearly at release time.
AC
- Modify the condition in loadCredentials to only enter the aws credential obtaining logic if an 'aws' key is defined on kmsProviders and it is an empty js object.
- Add a test to assert we don't obtain credentials if aws is falsey
- Can be sinon powered unit test.