[DRIVERS-2377] Add support for GCP attached service accounts when using GCP KMS Created: 09/Aug/21 Updated: 14/Jul/23 Resolved: 14/Jul/23 |
|
| Status: | Closed |
| Project: | Drivers |
| Component/s: | Client Side Encryption |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | William Chow (Inactive) | Assignee: | Kevin Albertson |
| Resolution: | Done | Votes: | 2 |
| Labels: | MDBW23, size-medium | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Changes: | Needed | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Quarter: | FY23Q2, FY23Q3, FY24Q1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Downstream Changes Summary: | Summary of required changes
Additional background Please see https://github.com/mongodb/specifications/commit/847d9ba741201f9c9d1305831a9c60e8ab2a1544 for the specification change. Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237 for a reference implementation in Go. Consider using the mock server for local development to test the HTTP request to the Metadata Server. GCP access token is not cached. See the scope for rationale. Integration test Drivers are expected to run an integration test with a temporary Google Compute Engine instance. Scripts in the drivers-evergreen-tools .evergreen/csfle/gcpkms directory may be used. To test, add an Evergreen task group to do the following:
Add a task in the task group to do the following:
Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237#diff-2bc841e86ce96b7b422ae203fd8315d0b2a461956cecbe0e096420656fc3fb12R2248 for a reference implementation of the integration test in Go. It may be helpful to refer to driver tests for MONGODB-AWS ECS. The ECS tests perform a similar flow (copying and running a test on a remote ECS instance). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Compliance: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
We have a customer on GCP, who is trying to use GCP KMS for the CMK and we require a service account key, where an email and privateKey is provided for the service account, in order to use the GCP KMS API. They are using an attached service account according to GCP best practices which says "Use attached service accounts when possible. For applications deployed on Google Cloud that need to use a service account, attach the service account to the underlying compute resource. By attaching a service account, you enable the application to obtain tokens for the service account and to use these tokens to access Google Cloud APIs and resources." and it also says "Use service account keys only if there is no viable alternative". Google even displays the warning "Service account keys could pose a security risk if compromised" when creating a key for a service account. The customer is requesting that we follow GCP best practices and when using an "attached" service account, that we skip/bypass the email and privateKey that is used for authentication and just access the GCP KMS API directly. For reference https://cloud.google.com/iam/docs/best-practices-for-using-and-managing-service-accounts#use-attached-service-accounts The customer is running on CloudRun and sometimes Compute Engine on GCP so use attached service accounts. Their service accounts do not have user accessible keys on them. The customer is using the MongoDB C#/.NET driver on Linux. During local development they use an environment variable GOOGLE_APPLICATION_CREDENTIALS that if you point it to a local service account file (purely for development purposes) that means the Google libraries behave exactly the same as when deployed in a attached service account environment. |
| Comments |
| Comment by Githook User [ 01/Mar/23 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: run apt-get update in setup-gce-instance.sh |
| Comment by Githook User [ 15/Feb/23 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
|
| Comment by Githook User [ 24/Jan/23 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: add GCPKMS_DISKSIZE option with default 20GB |
| Comment by PM Bot [ 05/Dec/22 ] |
|
Moved to Needs Triage because a linked PM issue PM-3084 was moved to Ready for Work. |
| Comment by Githook User [ 01/Dec/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
This enables deleting the SSH keys after the task completes |
| Comment by Githook User [ 31/Aug/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: |
| Comment by Githook User [ 10/Aug/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
|
| Comment by Githook User [ 06/Aug/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: |
| Comment by Githook User [ 03/Aug/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: |
| Comment by David Stewart [ 26/Dec/21 ] |
|
Hey Mongo Team, As a Mongo DB Atlas customer, we would like to cast our vote for this as well. We are running in cloud run in a Node JS environment.
David |