Go Driver: Allow Client Side Field Level Encryption (CSFLE) to use IAM Role credentials credentials with KMS access
In order to get the MongoDB csfle lib to work with AWS KMS, we need to set
the following provider details (IAM user credentials) explicitly: accessKeyId and secretAccessKey.
It is common and more secure practice for applications to be able to get temporary credentials using IAM roles which will have accessKeyId, secretAccessKey and sessionToken - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html.
Currently, the Go Driver does not support sending 'sessionToken' along with provider details.
The libmongocrypt library has this support now - https://github.com/mongodb/libmongocrypt/pull/153.
It would be great if Go driver has this support.
Thank you for your enhancement request. We are pleased to announce that we now support AWS IAM roles for KMS access with CSFLE. Please see the "Important" note that provides instructions on using IAM roles for authentication in the AWS KMS tutorial in our MongoDB docs. https://www.mongodb.com/docs/manual/core/csfle/tutorials/aws/aws-automatic/#grant-permissions