Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2179

Add support for updating expired AWS KMS temporary access credentials using assumed roles in FLE

XMLWordPrintableJSON

    • Type: Icon: New Feature New Feature
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: Client Side Encryption
    • Needed

      Summary

      Currently, the FLE KMS support includes support for AWS temporary access keys. These temporary keys can be obtained via AssumeRole, from EC2 machines that have been assigned a role, and a few other means. Temporary credentials always expire after some time and libmongocrypt provides no way for users to refresh their credentials.

      Motivation

      Who is the affected end user?

      FLE customers using assumed roles for AWS KMS

      How does this affect the end user?

      If a user configures the FLE KMS support for AWS temporary credentials then their MongoDB driver will stop working upon expiration. For instance, if the temporary credentials have a timeout of 6 hours, then the driver will error after 6 hours. This is the problem the customer is hitting. The user has no recourse but to restart their usage of MongoDB drivers (i.e. restart their app), providing the new, valid credentials.

      How likely is it that this problem or use case will occur?

      Main path as having expiring credentials is a key component of the assumed roles functionality.

      If the problem does occur, what are the consequences and how severe are they?

      Driver will stop being able to access encryption key and therefor no encryption of decryption can happen.  The user will need to restart, as outlined above.

      Is this issue urgent?

      The customer is currently experiencing this issue and has opened a support ticket.

      Is this ticket required by a downstream team?

      No.

      Is this ticket only for tests?

      No

      Description from Mark Benvenuto
      The fix is to provide a way for users to provide fresh credentials. Since users can acquire their credentials in a variety of ways, it is difficult for libmongocrypt to reacquire them the same way as the user originally done. Instead, it is easier if the user simply provides a function that can fetch the credentials as needed.
      ===================
      Work outlined

      • Participants:
      • libmongocrypt
      • Java driver
         
        libmongocrypt
        --------------------
        libmongocrypt adds a callback like:
         

      int libmongocrypt_set_credentials_callback(int(credentials_callback)(char** buf, int* len))

      where

      int(credentials_callback)(char** buf, int* len)
      returns 0 on success and 1 on failure
      on success, it sets buf and len to point to a buffer then contains a BSON document that represents the credentials of:

      {
 accessKeyId : string
 secretKey: string,
 sessionToken: string
}

       
      Java driver
      ---------------
      Java driver updates the libmongocrypt java bindings  to support this method and adds a way for the user to set this callback in the Java driver.
      ===============

       

            Assignee:
            Unassigned Unassigned
            Reporter:
            cynthia.braund@mongodb.com Cynthia Braund (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: