Go mongo-driver 1.5.1 automatic decryption fails "key vault communication error: session was not created by this client"


I am working on hooking up explicit encryption/auto decryption using mongo FLE + go mongo-driver. Things worked in go mongo-driver 1.5.0-beta1, but are breaking in 1.5.1.

The keyvault is in its own database, while there are 2 other databases where we want to encrypt fields. The DEKs for both databases will be in a single vault, because we need to share same DEK for a collection in DB1 and collection in DB2.

We have explicit encryption we perform by creating mongo.NewClientEncryption(client,…) where we pass in corresponding client for each database, which is what I believe makes Inserts work in both driver versions.

When we do a Find on 1.5.1 driver however, we get error “key vault communication error: session was not created by this client” coming from mongo-go-driver/mongo/collection.go at master · mongodb/mongo-go-driver · GitHub checks. When I debug it is a mismatch between session client I am using for the database the collection is in, and the client mongo driver is using to read from key vault.

The code that initializes a client for each database is this:

autoEncryptionOpts := options.AutoEncryption().
	SetKmsProviders(defaultKmsProvider.Credentials()). //local random master key

clientOptions := options.Client().ApplyURI(url).SetRegistry(bsonutil.Registry).SetAutoEncryptionOptions(autoEncryptionOpts)
client, err := mongo.Connect(stdcontext.Background(), clientOptions)

When I debug on mongo-driver 1.5.0-beta1 I observe that the resulting client has:

  • keyVaultClientFLE is nil
  • keyVaultCollFLE set with client id EQUAL to the id of the client

When I switch to mongo-driver 1.5.1 the resulting client has:

  • keyVaultClientFLE set with client id DIFFERENT from the id of the client
  • keyVaultCollFLE set with client id same as keyVaultClientFLE, different from the id of the client

Without changing code, if I downgrade from go mongo-driver 1.5.1 to 1.5.0-beta1, things work as the clients match.

Is there a way, maybe an option, to force it to use the same client when initializing keyVaultClientFLE/keyVaultCollFLE ? Or is my approach wrong. Any guidance would be appreciated. Please let me know if I can provide more details.

Opened a bug with more details: https://jira.mongodb.org/browse/GODRIVER-2147