-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(NODE-6051): only provide expected allowed keys to libmongocrypt after fetching aws kms credentials #4057
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
baileympearson
force-pushed
the
NODE-6051
branch
from
March 26, 2024 20:57
7c72a03
to
fe77fe0
Compare
baileympearson
changed the title
signing commit object
fix(NODE-6051): cache AWS credential provider during KMS refresh and only provide allowed keys to libmongocrypt
Mar 26, 2024
baileympearson
force-pushed
the
NODE-6051
branch
from
March 27, 2024 18:00
423d771
to
191bc4a
Compare
baileympearson
force-pushed
the
NODE-6051
branch
from
March 29, 2024 18:38
1c6de62
to
5321999
Compare
baileympearson
changed the title
fix(NODE-6051): cache AWS credential provider during KMS refresh and only provide allowed keys to libmongocrypt
fix(NODE-6051): only provide expected allowed keys to libmongocrypt after fetching aws kms credentials
Mar 29, 2024
baileympearson
commented
Mar 29, 2024
baileympearson
force-pushed
the
NODE-6051
branch
from
March 29, 2024 20:07
ad2b018
to
56e8fc6
Compare
baileympearson
force-pushed
the
NODE-6051
branch
from
March 29, 2024 20:09
56e8fc6
to
a702990
Compare
W-A-James
added
the
Primary Review
In Review with primary reviewer, not yet ready for team's eyes
label
Apr 2, 2024
W-A-James
requested changes
Apr 2, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM apart from skip reason change and update to highlight
Co-authored-by: Warren James <[email protected]>
W-A-James
approved these changes
Apr 3, 2024
W-A-James
added
Team Review
Needs review from team
and removed
Primary Review
In Review with primary reviewer, not yet ready for team's eyes
labels
Apr 3, 2024
aditi-khare-mongoDB
approved these changes
Apr 3, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
This was referenced Sep 6, 2024
This was referenced Sep 7, 2024
This was referenced Sep 24, 2024
This was referenced Oct 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
What is changing?
sessionToken
,accessKeyId
,secretAccessKey
) are returned to libmongocrypt after fetching kms credentialsI also fixed some unit test skipping logic on Node18+, which previously only skipped on Node 18 and 20. Now it skips on Node18+.
This PR includes changes from #4064 to get a greener CI.
Is there new documentation needed for these changes?
Nope.
What is the motivation for this change?
Release Highlight
AWS credentials with expirations no longer throw when using on-demand AWS KMS credentials
In addition to letting users provide KMS credentials manually, client-side encryption supports fetching AWS KMS credentials on-demand using the AWS SDK. However, AWS credential mechanisms that returned access keys with expiration timestamps caused the driver to throw an error.
The driver will no longer throw an error when receiving an expiration token from the AWS SDK.
Double check the following
npm run check:lint
scripttype(NODE-xxxx)[!]: description
feat(NODE-1234)!: rewriting everything in coffeescript