Hi…
I have a working C# (dot net core) project using CSFLE, with local master key.
I am trying to setup using Azure Key vault. I do not have direct access to key vault client secret, tenant ID etc… in the code, as I am using azure app services with System managed Identity.
I can access key vault using Azure.Identity ( DefaultAzureCredential method) and pull the master key, and store as if its a local key and this works fine.
But to implement proper decryption of the datakeys on the KMS I need to somehow pass in the tenant info, client secret etc… to the Mongo driver, as per the docs…
var kmsProviders = new Dictionary<string, IReadOnlyDictionary<string, object>>();
var azureTenantId = Environment.GetEnvironmentVariable("FLE_AZURE_TENANT_ID");
var azureClientId = Environment.GetEnvironmentVariable("FLE_AZURE_CLIENT_ID");
var azureClientSecret = Environment.GetEnvironmentVariable("FLE_AZURE_CLIENT_SECRET");
var azureKmsOptions = new Dictionary<string, object>
{
{ "tenantId", azureTenantId },
{ "clientId", azureClientId },
{ "clientSecret", azureClientSecret },
};
kmsProviders.Add("azure", azureKmsOptions);
Is there any way to provide an Azure identity object to the driver, without having to directly access and set the secret/clientId etc…??
Thanks!