[CDRIVER-4435] Add support for GCP attached service accounts when using GCP KMS Created: 25/Jul/22  Updated: 28/Oct/23  Resolved: 03/Nov/22

Status: Closed
Project: C Driver
Component/s: Client Side Encryption
Affects Version/s: None
Fix Version/s: 1.24.0

Type: Improvement Priority: Major - P3
Reporter: PM Bot Assignee: Gil Alon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Issue split
split from DRIVERS-2377 Add support for GCP attached service ... Closed
Related
is related to PHPLIB-917 Add support for GCP attached service ... Closed
Quarter: FY23Q2, FY23Q3
Upstream Changes Summary:

DRIVERS-2377:
Summary of required changes

  • Upgrade dependency on libmongocrypt to 1.6.0 or higher. Binaries for 1.6.0 are available on the upload-all task.
  • Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state.
  • Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty gcp: {}, attempt to obtain GCP credentials by sending an HTTP request described in the specification. Pass the new credentials back with mongocrypt_ctx_provide_kms_providers.
  • Add an integration test with a Google Compute Engine (GCE) instance. Get credentials from DRIVERS-2377 test credentials.

Additional background

Please see https://github.com/mongodb/specifications/commit/847d9ba741201f9c9d1305831a9c60e8ab2a1544 for the specification change.

Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237 for a reference implementation in Go.

Consider using the mock server for local development to test the HTTP request to the Metadata Server.

GCP access token is not cached. See the scope for rationale.

Integration test

Drivers are expected to run an integration test with a temporary Google Compute Engine instance. Scripts in the drivers-evergreen-tools .evergreen/csfle/gcpkms directory may be used.

To test, add an Evergreen task group to do the following:

  • Create a GCE instance in a setup_group.
  • Destroy the GCE instance in a teardown_group. Using a teardown_group will destroy the instance if the task fails.

Add a task in the task group to do the following:

  • Build and copy files to the remote GCE instance.
  • Install necessary dependencies on the remote GCE instance.
  • Run the test remotely.

Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237#diff-2bc841e86ce96b7b422ae203fd8315d0b2a461956cecbe0e096420656fc3fb12R2248 for a reference implementation of the integration test in Go.

It may be helpful to refer to driver tests for MONGODB-AWS ECS. The ECS tests perform a similar flow (copying and running a test on a remote ECS instance).

Backwards Compatibility: Fully Compatible

 Description   

This ticket was split from DRIVERS-2377, please see that ticket for a detailed description.



 Comments   
Comment by Githook User [ 03/Nov/22 ]

Author:

{'name': 'Gil Alon', 'email': '47804748+galon1@users.noreply.github.com', 'username': 'galon1'}

Message: CDRIVER-4435 Add support for GCP service accounts in GCP KMS (#1140)

CDRIVER-4435 create gcp token through HTTP request and add integration testing
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/41e66d449da81b7a273627ee4bd9d25415d8574e

Generated at Wed Feb 07 21:20:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.