Hi!
I’m trying to do a POC to work with MongoDB CSFLE using the tutorial code here (for node.js):
A)
After some research, almost works great, but when I reach this last code:
const key = await encryption.createDataKey(provider, {
masterKey,
// keyAltNames: [credentials.GCP_KEY_NAME],
});
It throws an error:
TypeError: error constructing KMS message: Failed to create GCP oauth request signature: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
at ClientEncryption.createDataKey (c:\DEV\poc-data-encryption\node_modules\mongodb-client-encryption\lib\clientEncryption.js:243:40)
at main (c:\DEV\poc-data-encryption\src\setup-key.js:72:34)
at processTicksAndRejections (node:internal/process/task_queues:96:5) {stack: 'TypeError: error constructing KMS message: Fa…ions (node:internal/process/task_queues:96:5)', message: 'error constructing KMS message: Failed to cr… encoding routines:asn1_check_tlen:wrong tag'}
I don’t know what to do, since we don’t have so much help online.
Where is the problem? My device, MongoDB, node.js driver or GCP?
More details:
Windows 11
Node.js 16.13.0
Atlas M0 5.0.14
“mongodb”: “^4.13.0”,
“mongodb-client-encryption”: “^2.3.0”
B)
The documentation about CSFLE don’t talk about required user permissions.
My current permissions are:
-
MongoDB User for key setup:
readWrite@encryption.__keyVault -
MongoDB user for the application:
read@encryption.__keyVault -
GCP Service Account for setup:
API Keys Admin
Cloud KMS Admin
Cloud KMS CryptoKey Encrypter/Decrypter
Cloud KMS CryptoKey Signer/Verifier
Cloud KMS Viewer
Tag User
Viewer -
GCP Service Account for the application:
(I didn’t reach this step yet) What should be?