For Client Side Field Level Encryption (CSFLE) load IAM credentials for KMS by default
In order to get the mongodb csfle lib to work with AWS KMS we need to set
the following provider details explicitly: accessKeyId and secretAccessKey.
It is common and more secure practice for applications to be able to load these automatically.
If we do not supply the accessKeyId and secretAccessKey then the java driver could make an API call to
retrieve temporary credentials from the EC2 instance it is running on.
It is explained in detail here:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
4
votes
THOMAS
shared this idea
-
Noa
commented
+1.
We really want to use CSFLE feature, but security wise with long term credentials it makes the feature to be impossible to implement.