RUBY-3888 Migrate Atlas connectivity secrets to AWS Secrets Manager#3049
Open
comandeo-mongo wants to merge 6 commits into
Open
RUBY-3888 Migrate Atlas connectivity secrets to AWS Secrets Manager#3049comandeo-mongo wants to merge 6 commits into
comandeo-mongo wants to merge 6 commits into
Conversation
Replace the deprecated project-variables approach in "export AWS auth credentials" with a call to drivers-evergreen-tools setup-secrets.sh, which fetches credentials from the drivers/aws_auth vault. Update run-tests-aws-auth.sh and functions-aws.sh to source secrets-export.sh instead of .env.private when running in CI.
Replace the "export FLE credentials" Evergreen function that wrote secrets to .env.private with a subprocess.exec calling drivers-evergreen-tools csfle/setup-secrets.sh. This fetches FLE secrets from the drivers/csfle vault and generates temporary AWS credentials via setup_secrets.py, writing everything to secrets-export.sh in the task working directory. Update run-tests.sh to source secrets-export.sh and remap the vault variable names (FLE_AWS_KEY, FLE_AZURE_TENANTID, etc.) to the MONGO_RUBY_DRIVER_* names expected by the test suite. Remove the deprecated set-temp-creds.sh call. Non-secret FLE configuration (key ARNs, endpoints, key names) is passed via Evergreen expansion in the "run tests" function, which now exports MONGO_RUBY_DRIVER_AWS_REGION, MONGO_RUBY_DRIVER_AWS_ARN, and the Azure/GCP config vars directly.
Replace Evergreen project variable expansion for Atlas connection URIs and X.509 certificates with a call to drivers-evergreen-tools secrets_handling/setup-secrets.sh drivers/atlas_connect, matching the pattern used by the Python and Node drivers. Add "export Atlas credentials" function and wire it into the test-atlas task. Remove the eleven atlas_* Evergreen project variable references from "run Atlas tests" and from the setup-system expansion.yml block. Remove the atlas_serverless_uri / atlas_serverless_lb_uri references from "run Atlas tests" — those credentials are already sourced by run-tests-serverless.sh from the serverless secrets-export.sh. Update run-tests-atlas.sh to source secrets-export.sh so the ATLAS_* variables are available to the spec suite.
The drivers/atlas_connect vault exports ATLAS_REPL, ATLAS_SHRD, etc. (shared naming with Python/Node), but the Ruby spec expects ATLAS_REPLICA_SET_URI, ATLAS_SHARDED_URI, etc.
csfle/setup_secrets.py writes AWS_SESSION_TOKEN="" into secrets-export.sh to neutralize any ambient session token before its STS call. Sourcing that file sets the variable to an empty string, which libmongocrypt then passes to AWS KMS as an empty security token, causing on-demand credential discovery to fail. Unset the variable when it is empty so libmongocrypt performs credential discovery without a session token.
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates Atlas connectivity credentials (and parallel FLE credentials) from Evergreen project expansion variables to AWS Secrets Manager via drivers-evergreen-tools' setup-secrets.sh, aligning with the Python/Node driver patterns. The Atlas test runner now sources secrets-export.sh and remaps the shared vault variable names to the names the Ruby specs expect.
Changes:
- New
"export Atlas credentials"Evergreen function and wiring intotest-atlas; removes the inlineatlas_*expansion references (including serverless URIs and X.509 cert base64). - Replaces the shell-based
"export FLE credentials"(which wrote.env.private) with asubprocess.execcall tocsfle/setup-secrets.sh;run-tests.shnow sourcessecrets-export.shand mapsFLE_*toMONGO_RUBY_DRIVER_*env vars. run-tests-atlas.shsourcessecrets-export.shand remapsATLAS_REPL/ATLAS_SHRD/etc. to the spec-expected variable names.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .evergreen/config/common.yml.erb | Adds Atlas secrets fetch function, rewrites FLE secrets fetch to use setup-secrets.sh, and removes inline atlas_*/fle_aws_* expansion exports. |
| .evergreen/config.yml | Generated counterpart of the common.yml.erb changes. |
| .evergreen/run-tests-atlas.sh | Sources secrets-export.sh and remaps vault Atlas variable names to the names consumed by the Atlas spec. |
| .evergreen/run-tests.sh | Replaces the temporary-AWS-credentials step with sourcing secrets-export.sh to provide FLE credentials. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+31
to
+42
| if test -f secrets-export.sh; then | ||
| # shellcheck disable=SC1091 | ||
| . ./secrets-export.sh | ||
| # Map from vault variable names (shared with Python/Node) to Ruby driver expected names. | ||
| export ATLAS_REPLICA_SET_URI="${ATLAS_REPL}" | ||
| export ATLAS_SHARDED_URI="${ATLAS_SHRD}" | ||
| export ATLAS_FREE_TIER_URI="${ATLAS_FREE}" | ||
| export ATLAS_TLS11_URI="${ATLAS_TLS11}" | ||
| export ATLAS_TLS12_URI="${ATLAS_TLS12}" | ||
| export ATLAS_X509_URI="${ATLAS_X509}" | ||
| export ATLAS_X509_DEV_URI="${ATLAS_X509_DEV}" | ||
| fi |
| export ATLAS_TLS11_URI="${ATLAS_TLS11}" | ||
| export ATLAS_TLS12_URI="${ATLAS_TLS12}" | ||
| export ATLAS_X509_URI="${ATLAS_X509}" | ||
| export ATLAS_X509_DEV_URI="${ATLAS_X509_DEV}" |
Comment on lines
+240
to
+253
| if test -f secrets-export.sh; then | ||
| # shellcheck disable=SC1091 | ||
| . ./secrets-export.sh | ||
| # setup-secrets.sh sets AWS_SESSION_TOKEN="" for long-lived keys. Unset it | ||
| # so the driver does not include an empty security token in KMS requests. | ||
| [ -z "${AWS_SESSION_TOKEN:-}" ] && unset AWS_SESSION_TOKEN | ||
| export MONGO_RUBY_DRIVER_AWS_KEY="${FLE_AWS_KEY}" | ||
| export MONGO_RUBY_DRIVER_AWS_SECRET="${FLE_AWS_SECRET}" | ||
| export MONGO_RUBY_DRIVER_AZURE_TENANT_ID="${FLE_AZURE_TENANTID}" | ||
| export MONGO_RUBY_DRIVER_AZURE_CLIENT_ID="${FLE_AZURE_CLIENTID}" | ||
| export MONGO_RUBY_DRIVER_AZURE_CLIENT_SECRET="${FLE_AZURE_CLIENTSECRET}" | ||
| export MONGO_RUBY_DRIVER_GCP_EMAIL="${FLE_GCP_EMAIL}" | ||
| export MONGO_RUBY_DRIVER_GCP_PRIVATE_KEY="${FLE_GCP_PRIVATEKEY}" | ||
| fi |
jamis
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the eleven
atlas_*Evergreen project variable references with a call todrivers-evergreen-tools/.evergreen/secrets_handling/setup-secrets.sh drivers/atlas_connect, matching the pattern used by the Python and Node drivers.Changes
.evergreen/config/common.yml.erb/.evergreen/config.yml"export Atlas credentials"function:subprocess.execcalling${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh drivers/atlas_connect"export Atlas credentials"into thetest-atlastask (before"run Atlas tests")"run Atlas tests": remove all inlineatlas_*expansion references (atlas_replica_set_uri,atlas_sharded_uri,atlas_free_tier_uri,atlas_tls11_uri,atlas_tls12_uri,atlas_x509_cert_base64,atlas_x509,atlas_x509_dev_cert_base64,atlas_x509_dev); also removeatlas_serverless_uri/atlas_serverless_lb_uri(serverless runner already sources its ownsecrets-export.sh)setup-system: remove the fiveATLAS_*lines from theexpansion.ymlblock.evergreen/run-tests-atlas.shsecrets-export.shbefore running specs soATLAS_*variables are availableVault
drivers/atlas_connect— used by Python and Node drivers for the same purpose (static Atlas cluster URIs + X.509 certificates). X.509 cert base64 decoding is done in Ruby's spec directly (Base64.strict_decode64), so no shell-side decoding step is needed.Test plan
bash -n .evergreen/run-tests-atlas.sh— syntax OKbundle exec rspec spec/atlas/atlas_connectivity_spec.rb— 7 examples, 0 failures, 7 pending (require live Atlas cluster, as expected)Full CI verification requires Evergreen with Atlas connectivity build variants. This PR builds on RUBY-3886 (branch
ruby-3888is based onruby-3886).Jira: https://jira.mongodb.org/browse/RUBY-3888