[MONGOCRYPT-382] Support on-demand credentials Created: 15/Feb/22  Updated: 28/Oct/23  Resolved: 08/Mar/22

Status: Closed
Project: Libmongocrypt
Component/s: C library
Affects Version/s: None
Fix Version/s: 1.4.0-alpha0

Type: New Feature Priority: Major - P3
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-2179 Add support for updating expired AWS ... Closed
is depended on by JAVA-4503 Integrate with libmongocrypt callback... Closed
is depended on by JAVA-4504 Support AWS credential supplier for c... Closed
is depended on by MONGOCRYPT-393 Support on-demand credentials in Java... Closed
Related
related to MONGOCRYPT-428 mongocrypt_ctx_provide_kms_providers ... Closed
related to DRIVERS-2017 Add ClientEncryption entity and Key M... Closed

 Description   

Background & Motivation

KMS credentials are set on a mongocrypt_t with mongocrypt_setopt_kms_providers.

Once set, the KMS credentials cannot be changed for the lifetime of the mongocrypt_t.

This poses a problem for users wanting to use temporary credentials that may expire. There is no way to update the credentials on a mongocrypt_t

Here is an example of getting AWS temporary credentials and using them with Go driver for CSFLE.

Scope

  • Add a new state, MONGOCRYPT_CTX_NEED_CREDENTIALS.
    • Rationale: Refreshing credentials may require I/O from the wrapping driver. For async drivers, a mongocrypt_ctx_t entering a new state allows the async driver to schedule an async routine.
  • Add a new function on mongocrypt_ctx_t to provide credentials.
    • If a mongocrypt_ctx_t enters the state MONGOCRYPT_CTX_NEED_CREDENTIALS, the driver may call a new function on the mongocrypt_ctx_t to provide credentials.
    • This can override credentials set in the mongocrypt_t.
  • Add a new function on mongocrypt_t to opt in to the new behavior.
    • Rationale: The new state requires bindings updates. Making this opt-in will not break existing drivers.


 Comments   
Comment by Githook User [ 07/Mar/22 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: MONGOCRYPT-382 require `aws: {}` to enter NEED_KMS_CREDENTIALS (#257)
Branch: master
https://github.com/mongodb/libmongocrypt/commit/d60ded06f12e225984fb3841ecf30345cc01da84

Comment by Bailey Pearson [ 07/Mar/22 ]

Hey anna.henningsen - Looks like the PR related to this work broke a couple of the node driver's tests in CI (failing build here).  Reverting the PR and pointing our tests to the revert commit passes - https://spruce.mongodb.com/version/622672dba4cf4739fb6b571c/tasks.  These tests didn't run in CI for libmongocrypt because they require a MongoClient that's connected to a live server.

Related node ticket to track so that the work isn't lost - https://jira.mongodb.org/browse/NODE-4065.

Comment by Githook User [ 04/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: MONGOCRYPT-382 Add support for providing per-KMS-request credentials (#252)
Branch: master
https://github.com/mongodb/libmongocrypt/commit/9bda708fe2e21a6f3cc6f4ccd7c593d66cb7c7f1

Generated at Thu Feb 08 09:08:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.