[DRIVERS-2280] Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS Created: 18/Apr/22 Updated: 14/Aug/23 Resolved: 31/Mar/23 |
|
| Status: | Closed |
| Project: | Drivers |
| Component/s: | Client Side Encryption |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Unknown |
| Reporter: | Jeffrey Yemin | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Changes: | Needed | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Quarter: | FY23Q3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Downstream Changes Summary: |
Please see the C driver implementation as a reference. Note: the C driver also supports a user-provided callback for KMS providers. That is not in scope of |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Compliance: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
SummaryCurrently, for MONGODB-AWS authentication mechanism the driver obtains the credentials according to the rules specified in https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#obtaining-credentials. In addition, there is a high priority feature request to obtain credentials from an application-provided callback (see With CSFLE, in contrast, AWS credentials must be provided explicitly via the kmsProviders property of AutoEncryptionSettings or ClientEncryptionSettings. This feature will add equivalent support in CSFLE as is already provided for MONGODB-AWS. MotivationWho is the affected end user?Developer and security teams of enterprise customers. How does this affect the end user?There is a workaround, but it's onerous, as it involves recreating MongoClient instances before credentials expire. How likely is it that this problem or use case will occur?This is very likely to be an issue for users of client-side encryption. If the problem does occur, what are the consequences and how severe are they?They will be unable or at least unwilling to use client-side encryption in production. Is this issue urgent?It was certainly urgent for the initial customer that encountered this issue. Is this ticket required by a downstream team? No Is this ticket only for tests?No |
| Comments |
| Comment by Githook User [ 12/Jul/22 ] |
|
Author: {'name': 'vector-of-bool', 'email': 'vectorofbool@gmail.com', 'username': 'vector-of-bool'}Message:
|