[CXX-2565] Support the Azure VM-assigned Managed Identity for Automatic KMS Credentials Created: 11/Aug/22  Updated: 27/Oct/23  Resolved: 29/Mar/23

Status: Closed
Project: C++ Driver
Component/s: Client Side Encryption
Affects Version/s: None
Fix Version/s: 3.8.0

Type: Improvement Priority: Unknown
Reporter: PM Bot Assignee: Colby Pike
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Issue split
split from DRIVERS-2411 Support the Azure VM-assigned Managed... Closed
Related
related to CXX-2669 Clean up Azure resources on task failure Closed
Quarter: FY24Q1
Upstream Changes Summary:

DRIVERS-2411:
Implementation

libmongocrypt 1.6.0 or higher is required. Binaries for 1.6.0 are available on the upload-all task.

The spec changes introduce another method of obtaining KMS credentials automatically, much like with GCP and AWS:

  • When kmsProviders contains an empty azure property, it indicates a request for automatic Azure credentials.
  • To obtain credentials, issue an HTTP request to the Azure Instance Metadata Service (IMDS).
  • IMDS will issue an accessToken that can be used to query the Azure Key Vault (if the instance has sufficient permissions).
  • Additionally, this version of auto-KMS credentials institutes a token caching requirement.

The associated spec changes are specified here: https://github.com/mongodb/specifications/commit/d6b8cce6abb3b8e1a0b8f1dc7ee737e18322cfce

The initial implementation for the C driver is here: https://github.com/mongodb/mongo-c-driver/commit/686bff81f565f93db83d99902ce1c3a6f89922c7

Mock server tests

Mock server tests specified here:
https://github.com/mongodb/specifications/commit/e780e91d708fe9c004a0b0023387baa850282881

The mock server is available here: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/fake_azure.py

Please see https://github.com/mongodb/mongo-c-driver/commit/671a15154f0dd0e4af3c8df2ac08dfe4acf01795#diff-d353a218f6d4ac77dfb35cc757a96af121a9ce1d3cf7b01535fa23e6d0c58016R98 for a reference implementation of the mock server tests in C.

Integration tests

Integration tests are specified here:
https://github.com/mongodb/specifications/commit/cf778cb8add04c0c6d8f366e6352f3d0ac9c1694

Scripts in the drivers-evergreen-tools .evergreen/csfle/azurekms directory may be used to create the temporary Azure Virtual Machine. Get credentials from DRIVERS-2411 Test Credentials.

To test, add an Evergreen task group to do the following:

  • Create an Azure VM instance in a setup_group.
  • Destroy the Azure VM instance in a teardown_group. Using a teardown_group will destroy the instance if the task fails.

Add a task in the task group to do the following:

  • Build and copy files to the remote Azure VM.
  • Install necessary dependencies on the remote Azure VM instance.
  • Run the test remotely.

Please see https://github.com/mongodb/mongo-c-driver/pull/1124 and https://github.com/mongodb/mongo-c-driver/pull/1234/ for a reference implementation of the integration tests in C.

It may be helpful to refer to driver tests for MONGODB-AWS ECS. The ECS tests perform a similar flow (copying and running a test on a remote ECS instance).


 Description   

This ticket was split from DRIVERS-2411, please see that ticket for a detailed description.



 Comments   
Comment by Kevin Albertson [ 05/Jun/23 ]

This work is done in the C driver as part of CDRIVER-4454. Users only need to upgrade the C driver to get these changes.

Generated at Wed Feb 07 22:06:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.