'Invalid security token' When creating a data_key/encrypting using KMS inside an EC2 instance

Hey, I’m trying to implement Client side field level encryption, I’m running MongoDB on a container inside my EC2 instance

I wrote a script that uses my EC2’s Programmatic access credentials and connects to the AWS KMS provider, but whenever I try to create a data key, or encrypt anything, I get an error:
EncryptionError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400

I also tried setting the ACCESS_KEY, SECRET_KEY and SESSION_TOKEN to be environment variables and still got the error

The EC2 instance has full control over KMS,
Whenever using the normal boto3 ‘KMS’ client, I can manage to create a data_key, encrypt and decrypt data

I wanted to open a Jira Bug issue about this case but figured I might be doing something wrong

That’s the script that I used - https://pastebin.com/LGjD5bLU

I’d appreciate any help provided :slight_smile:

Hello @Gal_Gertzman!

CSFLE does not currently support temporary credentials for AWS. You can authenticate with an access key id and secret access key. But you cannot pass a session token through the KMS providers configuration.


@Kevin_Albertson, do you know when this will be supported? Access Key ID and Secret Access Key is fairly looked down on as a secure authentication method with AWS. Temporary security credentials in IAM - AWS Identity and Access Management

@Carson_Franklin, this is now supported in many of the MongoDB drivers. See System Dashboard - MongoDB for details.



Following up on Jeff’s response, for the benefit of those arriving from a search. Temporary security credentials are fully supported in CSFLE now. See “sessionToken” in, for example, the Java driver:

or in the Node driver:

or Python: