Skip to content

[Encryption] Cast KMS provider to object to support AWS empty config #2801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 13, 2025
Merged

[Encryption] Cast KMS provider to object to support AWS empty config #2801

merged 1 commit into from
Aug 13, 2025

Conversation

@GromNaN
Copy link
Member

@GromNaN GromNaN commented Aug 12, 2025
edited
Loading

Q A
Type bug
BC Break no
Fixed issues DoctrineMongoDBBundle#897

Summary

For some KMS providers, all options can be omitted. The authentication is done using the env var or the system.
https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.md#credentialproviders

@GromNaN GromNaN requested a review from jmikola August 12, 2025 19:37
jmikola
jmikola approved these changes Aug 13, 2025
View reviewed changes
lib/Doctrine/ODM/MongoDB/Configuration.php
return [
'kmsProviders' => [$this->attributes['kmsProvider']['type'] => array_diff_key($this->attributes['kmsProvider'], ['type' => 0])],
// Each kmsProvider must be an object, it can be empty
'kmsProviders' => [$this->attributes['kmsProvider']['type'] => (object) array_diff_key($this->attributes['kmsProvider'], ['type' => 0])],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slight correction to the PR description, since you said only mentioned AWS there.

credentialProviders talks about only supporting AWS, but Automatic Credentials mentions that AWS, Azure, and GCP are all supported. The struct definition in kmsProviders also demonstrates that those three provider types might be expressed as an empty object.

I'll also note that libmongocrypt supports named KMS providers (e.g. aws:foo), which in turn do not support fetching automatic credentials from the environment.

I don't think this changes the code you have here, but I wanted to clarify.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I updated the PR description.

@GromNaN GromNaN merged commit cf3c0b7 into doctrine:feature/queryable-encryption Aug 13, 2025
19 of 21 checks passed
@GromNaN GromNaN deleted the object-kms-provider branch August 13, 2025 18:31
This was referenced Aug 13, 2025
Merged
Merged
GromNaN added a commit to doctrine/DoctrineMongoDBBundle that referenced this pull request Aug 18, 2025
@GromNaN
Cast KMS provider to object to support AWS empty config
81a7ddb 
doctrine/mongodb-odm#2801
@GromNaN GromNaN mentioned this pull request Aug 19, 2025
Merged
GromNaN added a commit to doctrine/DoctrineMongoDBBundle that referenced this pull request Aug 19, 2025
@GromNaN
Cast KMS provider to object to support AWS empty config
953613d 
doctrine/mongodb-odm#2801
GromNaN added a commit to GromNaN/DoctrineMongoDBBundle that referenced this pull request Aug 20, 2025
@GromNaN
Cast KMS provider to object to support AWS empty config
54d2fa6 
doctrine/mongodb-odm#2801
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmikola jmikola jmikola approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GromNaN @jmikola