[DRIVERS-2280] Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS Created: 18/Apr/22  Updated: 14/Aug/23  Resolved: 31/Mar/23

Status: Closed
Project: Drivers
Component/s: Client Side Encryption
Fix Version/s: None

Type: New Feature Priority: Unknown
Reporter: Jeffrey Yemin Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by DRIVERS-2179 Add support for updating expired AWS ... Closed
Issue split
split to JAVA-4604 Obtain AWS credentials for CSFLE in t... Closed
split to CDRIVER-4382 Obtain AWS credentials for CSFLE in t... Closed
split to CSHARP-4168 Obtain AWS credentials for CSFLE in t... Closed
split to CXX-2508 Obtain AWS credentials for CSFLE in t... Closed
split to GODRIVER-2410 Obtain AWS credentials for CSFLE in t... Closed
split to MOTOR-959 Obtain AWS credentials for CSFLE in t... Closed
split to NODE-4234 Obtain AWS credentials for CSFLE in t... Closed
split to PYTHON-3256 Obtain AWS credentials for CSFLE in t... Closed
split to RUBY-2989 Obtain AWS credentials for CSFLE in t... Closed
split to RUST-1314 Obtain AWS credentials for CSFLE in t... Closed
split to PHPLIB-866 Obtain AWS credentials for CSFLE in t... Closed
Related
related to JAVA-4499 Obtain AWS credentials for CSFLE in t... Closed
related to DRIVERS-2011 On-demand callback for AWS credentials Closed
related to DRIVERS-2377 Add support for GCP attached service ... Closed
Driver Changes: Needed
Quarter: FY23Q3
Downstream Changes Summary:
  • Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state.
  • Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty aws: {}, attempt to obtain AWS credentials following the logic of Obtaining Credentials (excluding the URI section). Pass the new credentials back with mongocrypt_ctx_provide_kms_providers.
  • A new CSFLE prose test is introduced in 5cf3ed7.

Please see the C driver implementation as a reference. Note: the C driver also supports a user-provided callback for KMS providers. That is not in scope of DRIVERS-2280.

Driver Compliance:
Key Status/Resolution FixVersion
CDRIVER-4382 Done 1.23.0
CXX-2508 Works as Designed 3.8.0
CSHARP-4168 Fixed 2.18.0
GODRIVER-2410 Fixed 1.12.0, 1.12.0-alpha1
JAVA-4604 Duplicate
NODE-4234 Fixed 4.11.0, mongodb-client-encryption-2.4.0
MOTOR-959 Won't Do
PYTHON-3256 Fixed pymongocrypt-1.4, 4.3.3
PHPLIB-866 Fixed 1.16.0
RUBY-2989 Fixed 2.19.0
RUST-1314 Fixed 2.4.0
SWIFT-1564 Won't Do

 Description   

Summary

Currently, for MONGODB-AWS authentication mechanism the driver obtains the credentials according to the rules specified in https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#obtaining-credentials. In addition, there is a high priority feature request to obtain credentials from an application-provided callback (see DRIVERS-2011).

With CSFLE, in contrast, AWS credentials must be provided explicitly via the kmsProviders property of AutoEncryptionSettings or ClientEncryptionSettings.

This feature will add equivalent support in CSFLE as is already provided for MONGODB-AWS.

Motivation

Who is the affected end user?

Developer and security teams of enterprise customers.

How does this affect the end user?

There is a workaround, but it's onerous, as it involves recreating MongoClient instances before credentials expire.

How likely is it that this problem or use case will occur?

This is very likely to be an issue for users of client-side encryption.

If the problem does occur, what are the consequences and how severe are they?

They will be unable or at least unwilling to use client-side encryption in production.

Is this issue urgent?

It was certainly urgent for the initial customer that encountered this issue.

Is this ticket required by a downstream team?

No

Is this ticket only for tests?

No



 Comments   
Comment by Githook User [ 12/Jul/22 ]

Author:

{'name': 'vector-of-bool', 'email': 'vectorofbool@gmail.com', 'username': 'vector-of-bool'}

Message: DRIVERS-2280 New on-demand credential loading for AWS in CSE (#1260)

Generated at Thu Feb 08 08:25:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.