[DRIVERS-1780] Support for Azure Managed Identities Created: 25/May/21  Updated: 17/Oct/22  Resolved: 15/Sep/22

Status: Closed
Project: Drivers
Component/s: Client Side Encryption
Fix Version/s: None

Type: Epic Priority: Major - P3
Reporter: Rachelle Palmer Assignee: Colby Pike
Resolution: Duplicate Votes: 2
Labels: FLE
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates DRIVERS-2411 Support the Azure VM-assigned Managed... Closed
Related
Driver Changes: Needed
Quarter: FY23Q3

 Description   

Epic Summary

Add support for Azure "managed identities" to make Azure Key Vault requests. I believe this is the Azure equivalent to assumedRole() / AWS IAM. See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad#access-data for more details.

Motivation

who is asking for this and why
See also https://feedback.mongodb.com/forums/924145-atlas/suggestions/42163234-authentification-on-azure-iam

Cast of Characters

Engineering Lead: Kevin Albertson
Document Author:
POCers:
Product Owner: Rachelle Palmer
Program Manager:
Stakeholders:

Slack Channel

[Scope Document|some.url]

[Technical Design Document|some.url]



 Comments   
Comment by PM Bot [ 18/Jan/22 ]

If you are not logged in, you can view the tickets in this epic by following this link.

Comment by Jeegar Ghodasara [ 30/Aug/21 ]

We are working with RBC based in Toronto to stand up the MongoDB as a service platform on Azure AKS(not Atlas; EA with our enterprise k8s operator) and they have asked if we are planning to support "Azure managed identities" for CSFLE (Azure key vault). Details are below. According to customer this will be something pretty common requirements for all the Azure customers who wants to use CSFLE on EA or Atlas.  

From the customer:

Just wanted to put something forward for the product team at MongoDB that takes care of the Field Level Encryption client driver.  We would like to see Azure managed identities supported in the driver.  It ends up be a simpler way for applications to be able to manage the credentials for accessing Azure resources.  It also manages the rotation of those credentials as well which a standard Azure AD Application would require.

 

With every containerized application we deploy we assign a user-assigned managed identity.  This allows each application to have its own set of credentials that can be used against Azure resources for authentication.

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

 

Currently the KMS provider for Azure Key Vaults only supports the following properties.  It would be helpful if the properties were exposed to allow for managed identities to work as well.  The libraries used for this are the same as with Azure AD Applications but an API call can also be used to get the token.  These examples show using a system managed identity but user-assigned just requires adding the objectID of the identity in the request.

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token

 

"kmsProviders" : {  
   "azure" : {    
      "tenantId" : "AzureTenantId",    
      "clientId" : "AzureClientId",    
      "clientSecret" : "AzureClientSecret"  
   }
}

Generated at Thu Feb 08 08:24:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.