<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:24:55 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DRIVERS-2179] Add support for updating expired AWS KMS temporary access credentials using assumed roles in FLE</title>
                <link>https://jira.mongodb.org/browse/DRIVERS-2179</link>
                <project id="10980" key="DRIVERS">Drivers</project>
                    <description>&lt;div class=&quot;panel&quot; style=&quot;background-color: #fafbfc;border-width: 1px;&quot;&gt;&lt;div class=&quot;panelContent&quot; style=&quot;background-color: #fafbfc;&quot;&gt;
&lt;h3&gt;&lt;a name=&quot;Summary&quot;&gt;&lt;/a&gt;&lt;b&gt;Summary&lt;/b&gt;&lt;/h3&gt;

&lt;p&gt;Currently, the FLE KMS support includes support for AWS temporary&#160;access keys. These temporary keys can be obtained via AssumeRole, from EC2 machines that have been assigned a role, and a few other means. Temporary credentials always expire after some time and libmongocrypt provides no way for users to refresh their credentials.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Motivation&lt;/b&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Whoistheaffectedenduser%3F&quot;&gt;&lt;/a&gt;Who is the affected end user?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;FLE customers using assumed roles for AWS KMS&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Howdoesthisaffecttheenduser%3F&quot;&gt;&lt;/a&gt;How does this affect the end user?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;If a user configures the FLE KMS support for AWS temporary credentials then their MongoDB driver will stop working upon expiration. For instance, if the temporary&#160;credentials have&#160;a timeout of 6 hours, then the driver&#160;will error after 6 hours. This is the problem the customer&#160;is hitting. The user has no recourse but to restart their usage&#160;of MongoDB drivers (i.e. restart their app), providing the new, valid credentials.&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Howlikelyisitthatthisproblemorusecasewilloccur%3F&quot;&gt;&lt;/a&gt;How likely is it that this problem or use case will occur?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;Main path as having expiring credentials is a key component of the assumed roles functionality.&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Iftheproblemdoesoccur%2Cwhataretheconsequencesandhowseverearethey%3F&quot;&gt;&lt;/a&gt;If the problem does occur, what are the consequences and how severe are they?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;Driver will stop being able to access encryption key and therefor no encryption of decryption can happen.&#160; The user will need to restart, as outlined above.&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Isthisissueurgent%3F&quot;&gt;&lt;/a&gt;Is this issue urgent?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;The customer is currently experiencing this issue and has opened a support ticket.&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Isthisticketrequiredbyadownstreamteam%3F&quot;&gt;&lt;/a&gt;Is this ticket required by a downstream team?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;No.&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;Isthisticketonlyfortests%3F&quot;&gt;&lt;/a&gt;Is this ticket only for tests?&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;No&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Description from Mark Benvenuto&lt;/em&gt;&lt;br/&gt;
 The fix is to provide a way for users to provide fresh credentials. Since users can acquire their credentials in a variety of ways, it is difficult for libmongocrypt to reacquire them the same way as the user originally done. Instead, it is easier if the user simply provides a function that can fetch the credentials as needed.&lt;br/&gt;
 ===================&lt;br/&gt;
 Work outlined&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;Participants:&lt;/li&gt;
	&lt;li&gt;libmongocrypt&lt;/li&gt;
	&lt;li&gt;Java driver&lt;br/&gt;
 &#160;&lt;br/&gt;
 libmongocrypt&lt;br/&gt;
 --------------------&lt;br/&gt;
 libmongocrypt adds&#160;a callback like:&lt;br/&gt;
 &#160;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt; &lt;tt&gt;int libmongocrypt_set_credentials_callback(int(credentials_callback)(char** buf, int* len))&lt;/tt&gt;&lt;/p&gt;

&lt;p&gt; where&lt;/p&gt;

&lt;p&gt; &lt;tt&gt;int(credentials_callback)(char** buf, int* len)&lt;/tt&gt;&lt;br/&gt;
  returns 0 on success and 1 on failure&lt;br/&gt;
  on success, it sets buf and len to point to a buffer then contains a BSON document that represents the credentials of:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;{&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt; accessKeyId : string&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt; secretKey: string,&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt; sessionToken: string&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;}&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;&#160;&lt;br/&gt;
 Java driver&lt;br/&gt;
 ---------------&lt;br/&gt;
 Java driver updates the libmongocrypt java bindings&#160; to support this method and adds a way for the user to set this callback in the Java driver.&lt;br/&gt;
 ===============&lt;/p&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;&#160;&lt;/p&gt;</description>
                <environment></environment>
        <key id="1973459">DRIVERS-2179</key>
            <summary>Add support for updating expired AWS KMS temporary access credentials using assumed roles in FLE</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="cynthia.braund@mongodb.com">Cynthia Braund</reporter>
                        <labels>
                            <label>FLE</label>
                    </labels>
                <created>Fri, 28 Jan 2022 20:00:20 +0000</created>
                <updated>Sun, 8 Jan 2023 14:23:53 +0000</updated>
                            <resolved>Sun, 8 Jan 2023 14:23:53 +0000</resolved>
                                                        <component>Client Side Encryption</component>
                                        <votes>0</votes>
                                    <watches>10</watches>
                                                                                                                <comments>
                            <comment id="5098217" author="kevin.albertson" created="Sun, 8 Jan 2023 14:23:53 +0000"  >&lt;p&gt;This is resolved by &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-2280&quot; title=&quot;Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-2280&quot;&gt;&lt;del&gt;DRIVERS-2280&lt;/del&gt;&lt;/a&gt;.&lt;br/&gt;
Drivers implementing &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-2280&quot; title=&quot;Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-2280&quot;&gt;&lt;del&gt;DRIVERS-2280&lt;/del&gt;&lt;/a&gt; support configuring the AWS KMS provider with an empty document: `aws: {}`.&lt;br/&gt;
The AWS credentials are obtained when needed following the logic for MONGODB-AWS authentication mechanism.&lt;/p&gt;</comment>
                            <comment id="4322112" author="behackett" created="Fri, 28 Jan 2022 20:10:22 +0000"  >&lt;p&gt;I assume, like many other AWS credentials problems, this can be solved with &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-2011&quot; title=&quot;On-demand callback for AWS credentials&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-2011&quot;&gt;&lt;del&gt;DRIVERS-2011&lt;/del&gt;&lt;/a&gt;.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                        <issuelink>
            <issuekey id="1983789">MONGOCRYPT-382</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="2026870">DRIVERS-2280</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="1975278">CDRIVER-4276</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="1953998">DRIVERS-2011</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                            <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5002K000011D7mrQAC]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10951" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Driver Changes</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10748"><![CDATA[Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_21553" key="com.atlassian.jira.plugin.system.customfieldtypes:labels">
                        <customfieldname>Quarter</customfieldname>
                        <customfieldvalues>
                                        <label>FY24Q1</label>
    
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i01l07:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>