Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PYTHON-3517 Add documentation for on-demand KMS providers #1113

Merged
merged 3 commits into from Nov 11, 2022
Merged

PYTHON-3517 Add documentation for on-demand KMS providers #1113

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c5475fc
PYTHON-3517 Add documentation for on-demand KMS providers
blink1073 Nov 11, 2022
18d6ee1
address review
blink1073 Nov 11, 2022
d5996b3
address review
blink1073 Nov 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
17 changes: 17 additions & 0 deletions doc/changelog.rst
View file
Open in desktop
@@ -1,6 +1,23 @@
Changelog
=========

Changes in Version 4.4
----------------------

Version 4.4 brings a number of improvements including:

- Added support for :ref:`CSFLE on-demand credentials` for cloud KMS providers.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can go into the 4.3.3 release if we market it as "documented support" instead of "added support". We can say that it requires pymongocrypt>=1.4. I think this makes more sense because it will be supported by older versions of pymongo too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good



Issues Resolved
...............

See the `PyMongo 4.4 release notes in JIRA`_ for the list of resolved issues
in this release.

.. _PyMongo 4.4 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=34354


Changes in Version 4.3.3
------------------------

Expand Down
77 changes: 76 additions & 1 deletion doc/examples/encryption.rst
View file
Open in desktop
Expand Up @@ -713,6 +713,81 @@ To configure automatic *decryption* without automatic *encryption* set
client_encryption.close()
client.close()


if __name__ == "__main__":
main()


.. _CSFLE on-demand credentials:


CSFLE on-demand credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~

PyMongo 4.4 adds support for fetching on-demand KMS credentials for AWS,
GCP, and Azure cloud environments.

To enable the driver's behavior to obtain credentials from the environment, add the appropriate key ("aws", "gcp", or "azure") with an empty map to
"kms_providers" in either :class:`~pymongo.encryption_options.AutoEncryptionOpts` or :class:`~pymongo.encryption.ClientEncryption` options.

An application using AWS credentials would look like::

from pymongo import MongoClient
from pymongo.encryption import ClientEncryption
from pymongo.encryption_options import AutoEncryptionOpts
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AutoEncryptionOpts is imported but never used in these examples. It would be good to add one AutoEncryptionOpts example.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

client = MongoClient()
client_encryption = ClientEncryption(
kms_providers={"aws": {}},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comment on these lines would be good to highlight that the empty dict means creds are looked up on demand.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

key_vault_namespace="keyvault.datakeys",
key_vault_client=client,
codec_options=client.codec_options,
)
master_key = {
"region": "us-east-1",
"key": ("arn:aws:kms:us-east-1:123456789:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"),
}
client_encryption.create_data_key("aws", master_key)

The above will enable the same behavior of obtaining AWS credentials from the environment as is used for :ref:`MONGODB-AWS` authentication, including the
caching to avoid rate limiting.

An application using GCP credentials would look like::

from pymongo import MongoClient
from pymongo.encryption import ClientEncryption
from pymongo.encryption_options import AutoEncryptionOpts
client = MongoClient()
client_encryption = ClientEncryption(
kms_providers={"gcp": {}},
key_vault_namespace="keyvault.datakeys",
key_vault_client=client,
codec_options=client.codec_options,
)
master_key = {
"projectId": "my-project",
"location": "global",
"keyRing": "key-ring-csfle",
"keyName": "key-name-csfle",
}
client_encryption.create_data_key("gcp", master_key)

The driver will query the `VM instance metadata <https://cloud.google.com/compute/docs/metadata/default-metadata-values>`_ to obtain credentials.

An application using Azure credentials would look like::

from pymongo import MongoClient
from pymongo.encryption import ClientEncryption
from pymongo.encryption_options import AutoEncryptionOpts
client = MongoClient()
client_encryption = ClientEncryption(
kms_providers={"azure": {}},
key_vault_namespace="keyvault.datakeys",
key_vault_client=client,
codec_options=client.codec_options,
)
master_key = {
"keyVaultEndpoint": "https://my-keyvault-address.vault.azure.net/keys/",
"keyName": "MY-KEY-NAME",
}
client_encryption.create_data_key("azure", master_key)

The driver will `acquire an access token <https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token>`_ from the Azure VM.