For Client Side Field Level Encryption (CSFLE) load IAM credentials for KMS by default
In order to get the mongodb csfle lib to work with AWS KMS we need to set
the following provider details explicitly: accessKeyId and secretAccessKey.
It is common and more secure practice for applications to be able to load these automatically.
If we do not supply the accessKeyId and secretAccessKey then the java driver could make an API call to
retrieve temporary credentials from the EC2 instance it is running on.
It is explained in detail here:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Thank you for your enhancement request. We are pleased to announce that we now support AWS IAM roles for KMS access with CSFLE. Please see the "Important" note that provides instructions on using IAM roles for authentication in the AWS KMS tutorial in our MongoDB docs. https://www.mongodb.com/docs/manual/core/csfle/tutorials/aws/aws-automatic/#grant-permissions
-
Noa commented
+1.
We really want to use CSFLE feature, but security wise with long term credentials it makes the feature to be impossible to implement.