[DRIVERS-1780] Support for Azure Managed Identities Created: 25/May/21 Updated: 17/Oct/22 Resolved: 15/Sep/22 |
|
| Status: | Closed |
| Project: | Drivers |
| Component/s: | Client Side Encryption |
| Fix Version/s: | None |
| Type: | Epic | Priority: | Major - P3 |
| Reporter: | Rachelle Palmer | Assignee: | Colby Pike |
| Resolution: | Duplicate | Votes: | 2 |
| Labels: | FLE | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Driver Changes: | Needed | ||||||||||||
| Quarter: | FY23Q3 | ||||||||||||
| Description |
Epic SummaryAdd support for Azure "managed identities" to make Azure Key Vault requests. I believe this is the Azure equivalent to assumedRole() / AWS IAM. See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad#access-data for more details. Motivationwho is asking for this and why Cast of CharactersEngineering Lead: Kevin Albertson Slack Channel[Scope Document|some.url][Technical Design Document|some.url] |
| Comments |
| Comment by PM Bot [ 18/Jan/22 ] | |||||||
|
If you are not logged in, you can view the tickets in this epic by following this link. | |||||||
| Comment by Jeegar Ghodasara [ 30/Aug/21 ] | |||||||
|
We are working with RBC based in Toronto to stand up the MongoDB as a service platform on Azure AKS(not Atlas; EA with our enterprise k8s operator) and they have asked if we are planning to support "Azure managed identities" for CSFLE (Azure key vault). Details are below. According to customer this will be something pretty common requirements for all the Azure customers who wants to use CSFLE on EA or Atlas. From the customer: Just wanted to put something forward for the product team at MongoDB that takes care of the Field Level Encryption client driver. We would like to see Azure managed identities supported in the driver. It ends up be a simpler way for applications to be able to manage the credentials for accessing Azure resources. It also manages the rotation of those credentials as well which a standard Azure AD Application would require.
With every containerized application we deploy we assign a user-assigned managed identity. This allows each application to have its own set of credentials that can be used against Azure resources for authentication. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Currently the KMS provider for Azure Key Vaults only supports the following properties. It would be helpful if the properties were exposed to allow for managed identities to work as well. The libraries used for this are the same as with Azure AD Applications but an API call can also be used to get the token. These examples show using a system managed identity but user-assigned just requires adding the objectID of the identity in the request.
|