mongoc_auto_encryption_opts_set_kms_providers()

Synopsis

void
mongoc_auto_encryption_opts_set_kms_providers (
   mongoc_auto_encryption_opts_t *opts, const bson_t *kms_providers);

Parameters

• opts: The mongoc_auto_encryption_opts_t

• kms_providers: A bson_t containing configuration for an external Key Management Service (KMS).

kms_providers is a BSON document containing configuration for each KMS provider.

KMS providers are specified as a string of the form <KMS provider type> or <KMS provider type>:<KMS provider name>. The supported KMS provider types are aws, azure, gcp, local, and kmip. The optional name enables configuring multiple KMS providers with the same KMS provider type (e.g. aws:name1 and aws:name2 can refer to different AWS accounts). At least one KMS provider must be specified.

Supported forms of the KMS provider type aws include:

aws: {
   accessKeyId: String,
   secretAccessKey: String
}

// To pass temporary credentials:
aws: {
   accessKeyId: String,
   secretAccessKey: String
   sessionToken: String
}

// To request credentials from the environment:
aws: {}

Supported forms of the KMS provider type local include:

local: {
   // key is used to encrypt/decrypt data keys:
   key: "<96 byte BSON binary of subtype 0>" or String // May be passed as a base64 encoded string.
}

Supported forms of the KMS provider type azure include:

azure: {
   tenantId: String,
   clientId: String,
   clientSecret: String,
   identityPlatformEndpoint: Optional<String> // Defaults to login.microsoftonline.com
}

// To pass an accessToken directly:
azure: {
   accessToken: String
}

// To request credentials from the environment:
azure: {}

Supported forms of the KMS provider type gcp include:

gcp: {
   email: String,
   privateKey: byte[] or String, // May be passed as a base64 encoded string.
   endpoint: Optional<String> // Defaults to oauth2.googleapis.com
}

// To pass an accessToken directly:
gcp: {
   accessToken: String
}

// To request credentials from the environment:
gcp: {}

Supported forms of the KMS provider type kmip include:

kmip: {
   endpoint: String
}

KMS providers may include an optional name suffix separate with a colon. This enables configuring multiple KMS providers with the same KMS provider type. Example:

"aws:name1": {
   accessKeyId: String,
   secretAccessKey: String
},
"aws:name2": {
   accessKeyId: String,
   secretAccessKey: String
}

See also

mongoc_client_enable_auto_encryption()

In-Use Encryption