[DRIVERS-2411] Support the Azure VM-assigned Managed Identity for Automatic KMS Credentials Created: 10/Aug/22 Updated: 29/Aug/23 Resolved: 14/Jul/23 |
|
| Status: | Closed |
| Project: | Drivers |
| Component/s: | Client Side Encryption |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Unknown |
| Reporter: | Colby Pike | Assignee: | Colby Pike |
| Resolution: | Done | Votes: | 0 |
| Labels: | RDY | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Changes: | Needed | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Quarter: | FY23Q3, FY24Q1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Downstream Changes Summary: | Implementation libmongocrypt 1.6.0 or higher is required. Binaries for 1.6.0 are available on the upload-all task. The spec changes introduce another method of obtaining KMS credentials automatically, much like with GCP and AWS:
The associated spec changes are specified here: https://github.com/mongodb/specifications/commit/d6b8cce6abb3b8e1a0b8f1dc7ee737e18322cfce The initial implementation for the C driver is here: https://github.com/mongodb/mongo-c-driver/commit/686bff81f565f93db83d99902ce1c3a6f89922c7 Mock server tests Mock server tests specified here: The mock server is available here: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/fake_azure.py Please see https://github.com/mongodb/mongo-c-driver/commit/671a15154f0dd0e4af3c8df2ac08dfe4acf01795#diff-d353a218f6d4ac77dfb35cc757a96af121a9ce1d3cf7b01535fa23e6d0c58016R98 for a reference implementation of the mock server tests in C. Integration tests Integration tests are specified here: Scripts in the drivers-evergreen-tools .evergreen/csfle/azurekms directory may be used to create the temporary Azure Virtual Machine. Get credentials from DRIVERS-2411 Test Credentials. To test, add an Evergreen task group to do the following:
Add a task in the task group to do the following:
Please see https://github.com/mongodb/mongo-c-driver/pull/1124 and https://github.com/mongodb/mongo-c-driver/pull/1234/ for a reference implementation of the integration tests in C. It may be helpful to refer to driver tests for MONGODB-AWS ECS. The ECS tests perform a similar flow (copying and running a test on a remote ECS instance). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Driver Compliance: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
SummaryAt present, using Azure Key Vault for KMS requires a tenant ID, client ID, and client secret (password) in order to obtain an OAuth2 token to subsequently query the Azure Key Vault for key management. Azure VMs are automatically assigned a Managed Identity which allows the VM to obtain an OAuth2 token by querying a private metadata HTTP endpoint without any special credentials. The token obtained can then be used to request access to Azure resources, including the Key Vault, if applicable. We have added support for automatic KMS credentials for AWS (
MotivationWho is the affected end user?All end users of client-side encryption that wish to use Azure Key Vault as their KMS provider, and are running their client within an Azure VM. How does this affect the end user?Supporting the VM's managed identity alleviates the need to manage a separate set of credentials for their client application. How likely is it that this problem or use case will occur?As Azure KMS users are likely running within an Azure VM, most Azure users will likely find benefit in delegating the credential management to the Azure platform. If the problem does occur, what are the consequences and how severe are they?Managing and securing additional credentials creates an additional security concern and barrier to adoption for client-side encryption, whereas requesting the client driver to automatically work with the Azure host is simpler, more secure, and less error-prone. Is this issue urgent?The first mention of using Azure Managed Identities appears in December of 2020. The recent addition of automatic credentials for AWS and GCP makes this change prudent to match platform support. Is this ticket required by a downstream team?No Is this ticket only for tests?No |
| Comments |
| Comment by Githook User [ 15/Apr/23 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
|
| Comment by Githook User [ 24/Feb/23 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
|
| Comment by Githook User [ 06/Nov/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: |
| Comment by Githook User [ 03/Nov/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
|
| Comment by Githook User [ 21/Oct/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
|
| Comment by Githook User [ 20/Oct/22 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message: Add scripts for integration testing. |
| Comment by Githook User [ 17/Oct/22 ] |
|
Author: {'name': 'vector-of-bool', 'email': 'vectorofbool@gmail.com', 'username': 'vector-of-bool'}Message:
|
| Comment by Githook User [ 10/Oct/22 ] |
|
Author: {'name': 'vector-of-bool', 'email': 'vectorofbool@gmail.com', 'username': 'vector-of-bool'}Message: Add a fake_azure server for testing |
| Comment by Githook User [ 26/Sep/22 ] |
|
Author: {'name': 'vector-of-bool', 'email': 'vectorofbool@gmail.com', 'username': 'vector-of-bool'}Message:
|
| Comment by Githook User [ 09/Sep/22 ] |
|
Author: {'name': 'vector-of-bool', 'email': 'vectorofbool@gmail.com', 'username': 'vector-of-bool'}Message:
|