无法将 AWS IAM 角色与 KMS 提供程序一起用于 MongoDB 客户端字段级加密?
[英]Can't use AWS IAM Roles with KMS Providers for MongoDB Client Side Field Level Encryption?
问题描述
I am using EC2 Instance profile credentials for allowing the AWS EC2 instance to access other AWS services.
我正在使用 EC2 实例配置文件凭证来允许 AWS EC2 实例访问其他 AWS 服务。
Recently, I implemented MongoDB Client-Side Field-Level Encryption for which the AWS KMS has been used as KMS Providers.最近,我实施MongoDB Client-Side Field-Level Encryption ,AWS KMS 已用作 KMS 提供程序。 The MongoDB Documentation for CSFLE mentions that the KMS Provider should have secret key and access key that maps to an IAM User. CSFLE 的MongoDB 文档提到 KMS 提供者应该具有映射到 IAM 用户的密钥和访问密钥。
This way I will have to create another IAM User and then maintain those credentials separately.这样,我将不得不创建另一个 IAM 用户,然后单独维护这些凭证。 A simpler way (and more secure) would have been to use the DefaultCredentialsProvider from software.amazon.awssdk:auth and that could have used the credentials from the instance profile that could have given access to the KMS.一种更简单(并且更安全)的方法是使用来自software.amazon.awssdk:auth的DefaultCredentialsProvider ,并且可以使用实例配置文件中的凭证,该凭证可以授予对 KMS 的访问权限。 But this does not work for me and MongoClient fails as KMS rejects the security token used.但这对我不起作用,并且 MongoClient 失败,因为 KMS 拒绝使用的安全令牌。
Is there any reason behind not allowing this way of accessing KMS?不允许这种访问 KMS 的方式有什么原因吗?
1 个解决方案
解决方案1
2 已采纳 2020-04-24 19:51:44
As all projects, initial implementation of CSFLE had a scope.与所有项目一样,CSFLE 的初始实施具有 scope。 This scope did not include the ability to use instance roles for credential identification.此 scope 不包括使用实例角色进行凭证识别的能力。
I suggest you submit your request to https://feedback.mongodb.com/ for consideration.我建议您将您的请求提交给https://feedback.mongodb.com/以供考虑。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.