[GODRIVER-2501] Add support for GCP attached service accounts when using GCP KMS Created: 25/Jul/22  Updated: 28/Oct/23  Resolved: 06/Aug/22

Status: Closed
Project: Go Driver
Component/s: Client Side Encryption
Affects Version/s: None
Fix Version/s: 1.11.0

Type: Improvement Priority: Major - P3
Reporter: PM Bot Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by GODRIVER-2415 KMSProvider for GCP does not accept a... Closed
is duplicated by GODRIVER-2375 Support automatic Authentication for ... Closed
Issue split
split from DRIVERS-2377 Add support for GCP attached service ... Closed
Quarter: FY23Q2, FY23Q3
Upstream Changes Summary:

DRIVERS-2377:
Summary of required changes

  • Upgrade dependency on libmongocrypt to 1.6.0 or higher. Binaries for 1.6.0 are available on the upload-all task.
  • Call mongocrypt_setopt_use_need_kms_credentials_state to opt in to handling the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state.
  • Handle the new MONGOCRYPT_CTX_NEED_KMS_CREDENTIALS state. If the originally configured KMS providers have an empty gcp: {}, attempt to obtain GCP credentials by sending an HTTP request described in the specification. Pass the new credentials back with mongocrypt_ctx_provide_kms_providers.
  • Add an integration test with a Google Compute Engine (GCE) instance. Get credentials from DRIVERS-2377 test credentials.

Additional background

Please see https://github.com/mongodb/specifications/commit/847d9ba741201f9c9d1305831a9c60e8ab2a1544 for the specification change.

Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237 for a reference implementation in Go.

Consider using the mock server for local development to test the HTTP request to the Metadata Server.

GCP access token is not cached. See the scope for rationale.

Integration test

Drivers are expected to run an integration test with a temporary Google Compute Engine instance. Scripts in the drivers-evergreen-tools .evergreen/csfle/gcpkms directory may be used.

To test, add an Evergreen task group to do the following:

  • Create a GCE instance in a setup_group.
  • Destroy the GCE instance in a teardown_group. Using a teardown_group will destroy the instance if the task fails.

Add a task in the task group to do the following:

  • Build and copy files to the remote GCE instance.
  • Install necessary dependencies on the remote GCE instance.
  • Run the test remotely.

Please see https://github.com/mongodb/mongo-go-driver/commit/91b240c6aab86680ed5e78746a5a5edcd408c237#diff-2bc841e86ce96b7b422ae203fd8315d0b2a461956cecbe0e096420656fc3fb12R2248 for a reference implementation of the integration test in Go.

It may be helpful to refer to driver tests for MONGODB-AWS ECS. The ECS tests perform a similar flow (copying and running a test on a remote ECS instance).

Documentation Changes: Not Needed

 Description   

This ticket was split from DRIVERS-2377, please see that ticket for a detailed description.



 Comments   
Comment by Githook User [ 06/Aug/22 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: GODRIVER-2501 support for GCP attached service accounts when using GCP KMS (#1029)

  • opt in to NeedKmsCredentials state
  • add explicit mongocrypt.State values
  • store KmsProviders on MongoCrypt struct
  • handle NeedKmsCredentials in crypt.go for GCP
  • add ProvideKmsProviders and GetKmsProviders to *_not_enabled files
  • add integration test
Generated at Thu Feb 08 08:38:46 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.