-
Type: Task
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Component/s: Client Side Encryption
-
None
-
Needed
Summary
The CSFLE spec supports automatic KMS credential fetching for AWS, GCP and Azure KMS provider credentials. The GCP and Azure KMS tests have real integration tests that test against live GCP and Azure identity management services. AWS, however, only defines prose test 15 which only states that the test "must run in an environment" where certain environment variables are defined. This is problematic for two reasons
- In languages like Node, we often mock environment variables to test certain behaviors. We implemented these tests as unit tests.
- The CSFLE spec states that AWS credentials must be fetched in the same manner as AWS credentials are fetched in the auth spec. However, the auth spec includes additional ways of fetching credentials that are not covered by prose test 15 (i.e., fetching temporary credentials from the AWS metadata service).
https://jira.mongodb.org/browse/NODE-5917 revealed that the Node driver has different logic for fetching aws credentials during authentication than we do when fetching KMS credentials. Our logic also breaks for any credentials that have an `expiration`, as returned by the AWS sdk.{}
We have the CI infrastructure to test with real credentials in a live AWS environment. We should add integration tests for KMS credential fetching similar to fetching Azure and GCP credentials.
Motivation
Who is the affected end user?
drivers engineers
How does this affect the end user?
drivers engineers might not realize there is a gap in their test coverage and may not realize that their logic is different between AWS authentication and AWS KMS credential retrieval.
How likely is it that this problem or use case will occur?
unsure.
If the problem does occur, what are the consequences and how severe are they?
Worst case, the implementation of KMS credential fetching could be buggy or broken (this occurred in the Node drivder).
Is this issue urgent?
No.
Is this ticket required by a downstream team?
no.
Is this ticket only for tests?
Yes.
Acceptance Criteria
- Add integration testing for kms credential retrieval in a live AWS environment, similar to our AWS authentication tests.