RUBY-3886 Migrate FLE/CSFLE test secrets to AWS Secrets Manager#3048
Draft
comandeo-mongo wants to merge 4 commits into
Draft
RUBY-3886 Migrate FLE/CSFLE test secrets to AWS Secrets Manager#3048comandeo-mongo wants to merge 4 commits into
comandeo-mongo wants to merge 4 commits into
Conversation
Replace the deprecated project-variables approach in "export AWS auth credentials" with a call to drivers-evergreen-tools setup-secrets.sh, which fetches credentials from the drivers/aws_auth vault. Update run-tests-aws-auth.sh and functions-aws.sh to source secrets-export.sh instead of .env.private when running in CI.
Replace the "export FLE credentials" Evergreen function that wrote secrets to .env.private with a subprocess.exec calling drivers-evergreen-tools csfle/setup-secrets.sh. This fetches FLE secrets from the drivers/csfle vault and generates temporary AWS credentials via setup_secrets.py, writing everything to secrets-export.sh in the task working directory. Update run-tests.sh to source secrets-export.sh and remap the vault variable names (FLE_AWS_KEY, FLE_AZURE_TENANTID, etc.) to the MONGO_RUBY_DRIVER_* names expected by the test suite. Remove the deprecated set-temp-creds.sh call. Non-secret FLE configuration (key ARNs, endpoints, key names) is passed via Evergreen expansion in the "run tests" function, which now exports MONGO_RUBY_DRIVER_AWS_REGION, MONGO_RUBY_DRIVER_AWS_ARN, and the Azure/GCP config vars directly.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates FLE/CSFLE test secret provisioning in Evergreen from writing secrets into .env.private to using drivers-evergreen-tools/.evergreen/csfle/setup-secrets.sh, which pulls secrets from AWS Secrets Manager and generates temporary credentials for the test run.
Changes:
- Replaced the Evergreen
"export FLE credentials"function to invokecsfle/setup-secrets.shviasubprocess.exec. - Updated
.evergreen/run-tests.shto sourcesecrets-export.shand map generated values intoMONGO_RUBY_DRIVER_*environment variables. - Adjusted Evergreen test-run setup to export non-secret FLE-related configuration via environment variables (region/ARN/endpoints, etc.).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.evergreen/run-tests.sh |
Sources secrets-export.sh and exports FLE-related env vars for the Ruby test suite. |
.evergreen/config/common.yml.erb |
Switches FLE secret export to subprocess.exec running drivers-evergreen-tools setup-secrets.sh, and adjusts FLE env exports. |
.evergreen/config.yml |
Same Evergreen configuration updates as common.yml.erb in the generated config. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+240
to
+244
| if test -f secrets-export.sh; then | ||
| # shellcheck disable=SC1091 | ||
| . ./secrets-export.sh | ||
| export MONGO_RUBY_DRIVER_AWS_KEY="${FLE_AWS_KEY}" | ||
| export MONGO_RUBY_DRIVER_AWS_SECRET="${FLE_AWS_SECRET}" |
| # shellcheck disable=SC1091 | ||
| . ./secrets-export.sh | ||
| export MONGO_RUBY_DRIVER_AWS_KEY="${FLE_AWS_KEY}" | ||
| export MONGO_RUBY_DRIVER_AWS_SECRET="${FLE_AWS_SECRET}" |
setup-secrets.sh writes AWS_SESSION_TOKEN="" to secrets-export.sh for long-lived keys. With an empty session token in the environment, the driver includes a sessionToken: "" field in KMS credentials, causing AWS to reject the request with an authentication error.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the `"export FLE credentials"` Evergreen function that wrote secrets to `.env.private` with a `subprocess.exec` calling `drivers-evergreen-tools/.evergreen/csfle/setup-secrets.sh`. This fetches FLE secrets from the `drivers/csfle` vault in AWS Secrets Manager and generates temporary AWS STS credentials, writing everything to `secrets-export.sh` in the task working directory.
Jira: https://jira.mongodb.org/browse/RUBY-3886