2

I am using EC2 Instance profile credentials for allowing the AWS EC2 instance to access other AWS services.

Recently, I implemented MongoDB Client-Side Field-Level Encryption for which the AWS KMS has been used as KMS Providers. The MongoDB Documentation for CSFLE mentions that the KMS Provider should have secret key and access key that maps to an IAM User.

This way I will have to create another IAM User and then maintain those credentials separately. A simpler way (and more secure) would have been to use the DefaultCredentialsProvider from software.amazon.awssdk:auth and that could have used the credentials from the instance profile that could have given access to the KMS. But this does not work for me and MongoClient fails as KMS rejects the security token used.

Is there any reason behind not allowing this way of accessing KMS?

Nishkarsh
  • 274
  • 4
  • 16

1 Answers1

2

As all projects, initial implementation of CSFLE had a scope. This scope did not include the ability to use instance roles for credential identification.

I suggest you submit your request to https://feedback.mongodb.com/ for consideration.

D. SM
  • 13,584
  • 3
  • 12
  • 21
  • Thanks! I actually came across later the [specification for MongoDB CSFLE](https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#why-not-support-other-aws-auth-mechanisms) that mentions this scope. I also see this being implemented in the [newer version of MongoDB driver 4.1](https://mongodb.github.io/mongo-java-driver/4.1/whats-new/) that's still in beta and [spring-data-mongodb 3.0.0.M4](https://docs.spring.io/spring-data/data-mongo/docs/2.2.x/changelog.txt) that has the version bump for mongodb driver. Hope that it's released soon. – Nishkarsh Apr 25 '20 at 06:23
  • The MONGODB-AWS authentication mechanism that is mentioned is for client authentication to MongoDB server, this does not apply to FLE (or your inquiry here) in any way. – D. SM Apr 25 '20 at 12:54
  • Oh, I had guessed that it's generic in the way that any MongoClient should be able to authenticate using the same AWS authentication mechanisms, even if the client was configured for CSFLE since it's still trying to access an AWS service. But thanks for clearing this up @Oleg, I will probably submit a feedback for the same if that can help prioritise the feature. – Nishkarsh Apr 26 '20 at 14:08