RUBY-2989 Obtain AWS credentials for CSFLE (#2605)

comandeo-mongo · web-flow · commit 6db159eb836c · 2022-09-02T15:51:13.000+02:00
diff --git a/source/reference/authentication.txt b/source/reference/authentication.txt
@@ -328,6 +328,8 @@ The temporary credentials can also be provided via a URI:
   client = Mongo::Client.new(
     'mongodb://<AWS-ACCESS-KEY-ID>:<AWS-SECRET-ACCESS-KEY>@mongodb.example.com/mydb?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<AWS-SESSION-TOKEN>')
 
+.. _auto-retrieve-aws-credentials:
+
 Automatically Retrieving Credentials
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -475,7 +477,7 @@ for more information.
 
   # Authenticate as appuser@MYREALM:
   client = Mongo::Client.new("mongodb://appuser%40MYREALM@myserver.mycompany.com:27017/mydb?authMechanism=GSSAPI")
-  
+
   # Authenticate as myapp/appuser@MYREALM:
   client = Mongo::Client.new("mongodb://myapp%2Fappuser%40MYREALM@myserver.mycompany.com:27017/mydb?authMechanism=GSSAPI")
 
diff --git a/source/reference/client-side-encryption.txt b/source/reference/client-side-encryption.txt
@@ -853,7 +853,7 @@ There is no default key vault namespace, and this option must be provided.
 ``:kms_providers``
 ~~~~~~~~~~~~~~~~~~
 
-A Hash that contains KMP provider names as keys, and provider options as values.
+A Hash that contains KMS provider names as keys, and provider options as values.
 
 .. code-block:: ruby
 
@@ -864,11 +864,52 @@ A Hash that contains KMP provider names as keys, and provider options as values.
         aws: {
           access_key_id: 'IAM-ACCESS-KEY-ID',
           secret_access_key: 'IAM-SECRET-ACCESS-KEY'
+        },
+        azure: {
+          tenant_id: 'AZURE-TENANT-ID',
+          client_id: 'AZURE-CLIENT-ID',
+          client_secret: 'AZURE-CLIENT-SECRET'
+        },
+        gcp: {
+          email: 'GCP-EMAIL',
+          # :private_key value should be GCP private key as base64 encoded
+          # DER RSA private key, or PEM RSA private key, if you are using MRI Ruby.
+          private_key: 'GCP-PRIVATE-KEY',
+        },
+        kmip: {
+          # KMIP server endpoint may include port.
+          endpoint: 'KMIP-SERVER-HOST'
+        },
+        # TLS options to connect to KMIP server.
+        kms_tls_options: {
+          kmip: {
+            ssl_ca_cert: 'PATH-TO-CA-FILE',
+            ssl_cert: 'PATH-TO-CLIENT-CERT-FILE',
+            ssl_key: 'PATH-TO-CLIENT-KEY-FILE'
+          }
         }
       }
     }
   )
 
+The client can retrieve AWS credentials from the environment or from EC2 or ECS
+metadata endpoints. To retrieve credentials automatically, specify an empty Hash
+as KMS provider options for AWS:
+
+.. code-block:: ruby
+
+  Mongo::Client.new(['localhost:27017'],
+     auto_encryption_options: {
+      key_vault_namespace: 'encryption.__keyVault',
+      kms_providers: {
+        aws: {}
+      }
+    }
+  )
+
+See :ref:`"Automatically Retrieving Credentials" <auto-retrieve-aws-credentials>`
+for more detailed information about the credential retrieval.
+
 ``:kms_tls_options``
 ~~~~~~~~~~~~~~~~~~~~
 
diff --git a/source/release-notes.txt b/source/release-notes.txt
@@ -18,6 +18,17 @@ for the complete list of changes, including those internal to the driver and
 its test suite.
 
 
+.. _release-notes-2.19:
+
+2.19
+====
+
+This release includes the following new features:
+
+- Added support for automatic AWS credentials retrieval when AWS KMS is used for
+  client side encryption.
+
+
 .. _release-notes-2.18:
 
 2.18
