Atlas MongoDB CSFLE + GCP: Failed to create GCP oauth request signature

I’m trying to do a POC to work with MongoDB CSFLE using the tutorial code here (for node.js):

After some research, almost works great, but when I reach this last code:

const key = await encryption.createDataKey(provider, {
  // keyAltNames: [credentials.GCP_KEY_NAME],

It throws an error:

TypeError: error constructing KMS message: Failed to create GCP oauth request signature: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
    at ClientEncryption.createDataKey (c:\DEV\poc-data-encryption\node_modules\mongodb-client-encryption\lib\clientEncryption.js:243:40)
    at main (c:\DEV\poc-data-encryption\src\setup-key.js:72:34)
    at processTicksAndRejections (node:internal/process/task_queues:96:5) {stack: 'TypeError: error constructing KMS message: Fa…ions (node:internal/process/task_queues:96:5)', message: 'error constructing KMS message: Failed to cr… encoding routines:asn1_check_tlen:wrong tag'}

I don’t know what to do, since we don’t have so much help online.
Where is the problem? My device, MongoDB, node.js driver or GCP?

More details:
Windows 11
Node.js 16.13.0
Atlas M0 5.0.14
“mongodb”: “^4.13.0”,
“mongodb-client-encryption”: “^2.3.0”

The documentation about CSFLE don’t talk about required user permissions.
My current permissions are:

  • MongoDB User for key setup:

  • MongoDB user for the application:

  • GCP Service Account for setup:
    API Keys Admin
    Cloud KMS Admin
    Cloud KMS CryptoKey Encrypter/Decrypter
    Cloud KMS CryptoKey Signer/Verifier
    Cloud KMS Viewer
    Tag User

  • GCP Service Account for the application:
    (I didn’t reach this step yet) What should be?

Nobody? Someone help meee… plz :slight_smile:

Ok. I figure out.
I don’t know why, Private Key in the maskterKey object is not the same value of private_key in the GCP JSON Key object.
I didn’t see this instructions in the documentation:

If you downloaded your credentials in JSON format, you can use the following command to extract the value of your private key, substituting <credentials-filename> with the name of your credentials file:

cat <credentials-filename> | jq -r .private_key | openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER | base64

This solved the problem and all works great. :slight_smile:

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.