Reputation: 294
Can't use AWS IAM Roles with KMS Providers for MongoDB Client Side Field Level Encryption?
I am using EC2 Instance profile credentials for allowing the AWS EC2 instance to access other AWS services.
Recently, I implemented MongoDB Client-Side Field-Level Encryption for which the AWS KMS has been used as KMS Providers. The MongoDB Documentation for CSFLE mentions that the KMS Provider should have secret key and access key that maps to an IAM User.
This way I will have to create another IAM User and then maintain those credentials separately. A simpler way (and more secure) would have been to use the DefaultCredentialsProvider from software.amazon.awssdk:auth and that could have used the credentials from the instance profile that could have given access to the KMS. But this does not work for me and MongoClient fails as KMS rejects the security token used.
Is there any reason behind not allowing this way of accessing KMS?
Upvotes: 3
Views: 538
Answers (1)
Reputation: 14520
As all projects, initial implementation of CSFLE had a scope. This scope did not include the ability to use instance roles for credential identification.
I suggest you submit your request to https://feedback.mongodb.com/ for consideration.
Upvotes: 3
Related Questions
- "EC2 Metadata roleName request returned error" using aws encryption library with NestJS
- How to add KMS key policy to an IAM role
- Administrator cannot encrypt/decrypt in AWS KMS
- Kubernetes Service Account and AWS IAM Role for Secrets
- Grant usage of default KMS keys to IAM Roles with CloudFormation
- Encrypt Mongodb with Google Cloud Key Management Service
- Field level encryption using AWS KMS and AWS CloudHSM
- How to configure this Spring-Boot app to use IAM Role instead of keys and secrets?
- Grant users, roles, groups access to KMS key
- AWS S3 client side encryption using KMS - Region being ignored