I am working on hooking up explicit encryption/auto decryption using mongo FLE + go mongo-driver. Things worked in go mongo-driver 1.5.0-beta1, but are breaking in 1.5.1.
The keyvault is in its own database, while there are 2 other databases where we want to encrypt fields. The DEKs for both databases will be in a single vault, because we need to share same DEK for a collection in DB1 and collection in DB2.
We have explicit encryption we perform by creating mongo.NewClientEncryption(client,…) where we pass in corresponding client for each database, which is what I believe makes Inserts work in both driver versions.
When we do a Find on 1.5.1 driver however, we get error “key vault communication error: session was not created by this client” coming from mongo-go-driver/mongo/collection.go at master · mongodb/mongo-go-driver · GitHub checks. When I debug it is a mismatch between session client I am using for the database the collection is in, and the client mongo driver is using to read from key vault.
The code that initializes a client for each database is this:
autoEncryptionOpts := options.AutoEncryption(). SetKmsProviders(defaultKmsProvider.Credentials()). //local random master key SetKeyVaultNamespace(defaultDataEncryptionKeyCollection). SetBypassAutoEncryption(true) clientOptions := options.Client().ApplyURI(url).SetRegistry(bsonutil.Registry).SetAutoEncryptionOptions(autoEncryptionOpts) client, err := mongo.Connect(stdcontext.Background(), clientOptions)
When I debug on mongo-driver 1.5.0-beta1 I observe that the resulting client has:
- keyVaultClientFLE is nil
- keyVaultCollFLE set with client id EQUAL to the id of the client
When I switch to mongo-driver 1.5.1 the resulting client has:
- keyVaultClientFLE set with client id DIFFERENT from the id of the client
- keyVaultCollFLE set with client id same as keyVaultClientFLE, different from the id of the client
Without changing code, if I downgrade from go mongo-driver 1.5.1 to 1.5.0-beta1, things work as the clients match.
Is there a way, maybe an option, to force it to use the same client when initializing keyVaultClientFLE/keyVaultCollFLE ? Or is my approach wrong. Any guidance would be appreciated. Please let me know if I can provide more details.