Hey, I’m trying to implement Client side field level encryption, I’m running MongoDB on a container inside my EC2 instance
I wrote a script that uses my EC2’s Programmatic access credentials and connects to the AWS KMS provider, but whenever I try to create a data key, or encrypt anything, I get an error:
EncryptionError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400
I also tried setting the ACCESS_KEY, SECRET_KEY and SESSION_TOKEN to be environment variables and still got the error
The EC2 instance has full control over KMS,
Whenever using the normal boto3 ‘KMS’ client, I can manage to create a data_key, encrypt and decrypt data
I wanted to open a Jira Bug issue about this case but figured I might be doing something wrong
That’s the script that I used - from boto3 import Sessionfrom pymongo import MongoClientfrom pymongo.encrypt - Pastebin.com
I’d appreciate any help provided 
Hello @Gal_Gertzman!
CSFLE does not currently support temporary credentials for AWS. You can authenticate with an access key id and secret access key. But you cannot pass a session token through the KMS providers configuration.
2 Likes
@Kevin_Albertson, do you know when this will be supported? Access Key ID and Secret Access Key is fairly looked down on as a secure authentication method with AWS. Temporary security credentials in IAM - AWS Identity and Access Management
@Carson_Franklin, this is now supported in many of the MongoDB drivers. See https://jira.mongodb.org/browse/DRIVERS-1490 for details.
Regards,
Jeff
2 Likes
Following up on Jeff’s response, for the benefit of those arriving from a search. Temporary security credentials are fully supported in CSFLE now. See “sessionToken” in, for example, the Java driver:
or in the Node driver:
or Python:
https://pymongo.readthedocs.io/en/stable/api/pymongo/encryption_options.html
3 Likes