From 8f7b27cbc3212c6e0a511e840ea1a6d8c3702430 Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Wed, 20 May 2026 10:34:07 +0200 Subject: [PATCH 1/5] RUBY-3672 Use AWS Secrets Manager for AWS auth test credentials Replace the deprecated project-variables approach in "export AWS auth credentials" with a call to drivers-evergreen-tools setup-secrets.sh, which fetches credentials from the drivers/aws_auth vault. Update run-tests-aws-auth.sh and functions-aws.sh to source secrets-export.sh instead of .env.private when running in CI. --- .evergreen/config.yml | 32 +++++--------------------------- .evergreen/config/common.yml.erb | 32 +++++--------------------------- .evergreen/functions-aws.sh | 7 ++++--- .evergreen/run-tests-aws-auth.sh | 7 ++++--- 4 files changed, 18 insertions(+), 60 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index f68b5c3dc8..0d6b8c0551 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -157,35 +157,13 @@ functions: file: mo-expansion.yml "export AWS auth credentials": - - command: shell.exec + - command: subprocess.exec type: test params: - silent: true - working_dir: "src" - script: | - cat < .env.private - IAM_AUTH_ASSUME_AWS_ACCOUNT="${iam_auth_assume_aws_account}" - IAM_AUTH_ASSUME_AWS_SECRET_ACCESS_KEY="${iam_auth_assume_aws_secret_access_key}" - IAM_AUTH_ASSUME_ROLE_NAME="${iam_auth_assume_role_name}" - IAM_AUTH_EC2_INSTANCE_ACCOUNT="${iam_auth_ec2_instance_account}" - IAM_AUTH_EC2_INSTANCE_PROFILE="${iam_auth_ec2_instance_profile}" - IAM_AUTH_EC2_INSTANCE_SECRET_ACCESS_KEY="${iam_auth_ec2_instance_secret_access_key}" - IAM_AUTH_ECS_ACCOUNT="${iam_auth_ecs_account}" - IAM_AUTH_ECS_ACCOUNT_ARN="${iam_auth_ecs_account_arn}" - IAM_AUTH_ECS_CLUSTER="${iam_auth_ecs_cluster}" - IAM_AUTH_ECS_SECRET_ACCESS_KEY="${iam_auth_ecs_secret_access_key}" - IAM_AUTH_ECS_SECURITY_GROUP="${iam_auth_ecs_security_group}" - IAM_AUTH_ECS_SUBNET_A="${iam_auth_ecs_subnet_a}" - IAM_AUTH_ECS_SUBNET_B="${iam_auth_ecs_subnet_b}" - IAM_AUTH_ECS_TASK_DEFINITION="${iam_auth_ecs_task_definition_ubuntu2004}" - - IAM_WEB_IDENTITY_ISSUER="${iam_web_identity_issuer}" - IAM_WEB_IDENTITY_JWKS_URI="${iam_web_identity_jwks_uri}" - IAM_WEB_IDENTITY_RSA_KEY="${iam_web_identity_rsa_key}" - IAM_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}" - IAM_AUTH_ASSUME_WEB_ROLE_NAME="${iam_auth_assume_web_role_name}" - - EOT + binary: bash + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DRIVERS_TOOLS] + args: + - "${DRIVERS_TOOLS}/.evergreen/auth_aws/setup-secrets.sh" "run CSOT tests": - command: shell.exec diff --git a/.evergreen/config/common.yml.erb b/.evergreen/config/common.yml.erb index d3e8b42021..53262db080 100644 --- a/.evergreen/config/common.yml.erb +++ b/.evergreen/config/common.yml.erb @@ -154,35 +154,13 @@ functions: file: mo-expansion.yml "export AWS auth credentials": - - command: shell.exec + - command: subprocess.exec type: test params: - silent: true - working_dir: "src" - script: | - cat < .env.private - IAM_AUTH_ASSUME_AWS_ACCOUNT="${iam_auth_assume_aws_account}" - IAM_AUTH_ASSUME_AWS_SECRET_ACCESS_KEY="${iam_auth_assume_aws_secret_access_key}" - IAM_AUTH_ASSUME_ROLE_NAME="${iam_auth_assume_role_name}" - IAM_AUTH_EC2_INSTANCE_ACCOUNT="${iam_auth_ec2_instance_account}" - IAM_AUTH_EC2_INSTANCE_PROFILE="${iam_auth_ec2_instance_profile}" - IAM_AUTH_EC2_INSTANCE_SECRET_ACCESS_KEY="${iam_auth_ec2_instance_secret_access_key}" - IAM_AUTH_ECS_ACCOUNT="${iam_auth_ecs_account}" - IAM_AUTH_ECS_ACCOUNT_ARN="${iam_auth_ecs_account_arn}" - IAM_AUTH_ECS_CLUSTER="${iam_auth_ecs_cluster}" - IAM_AUTH_ECS_SECRET_ACCESS_KEY="${iam_auth_ecs_secret_access_key}" - IAM_AUTH_ECS_SECURITY_GROUP="${iam_auth_ecs_security_group}" - IAM_AUTH_ECS_SUBNET_A="${iam_auth_ecs_subnet_a}" - IAM_AUTH_ECS_SUBNET_B="${iam_auth_ecs_subnet_b}" - IAM_AUTH_ECS_TASK_DEFINITION="${iam_auth_ecs_task_definition_ubuntu2004}" - - IAM_WEB_IDENTITY_ISSUER="${iam_web_identity_issuer}" - IAM_WEB_IDENTITY_JWKS_URI="${iam_web_identity_jwks_uri}" - IAM_WEB_IDENTITY_RSA_KEY="${iam_web_identity_rsa_key}" - IAM_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}" - IAM_AUTH_ASSUME_WEB_ROLE_NAME="${iam_auth_assume_web_role_name}" - - EOT + binary: bash + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DRIVERS_TOOLS] + args: + - "${DRIVERS_TOOLS}/.evergreen/auth_aws/setup-secrets.sh" "run CSOT tests": - command: shell.exec diff --git a/.evergreen/functions-aws.sh b/.evergreen/functions-aws.sh index 0429f5f88d..8dfa215a59 100644 --- a/.evergreen/functions-aws.sh +++ b/.evergreen/functions-aws.sh @@ -9,9 +9,10 @@ clear_instance_profile() { # the main shell environment, which uses different credentials for # regular and assume role configurations. ( - # When running in Evergreen, credentials are written to this file. - # In Docker they are already in the environment and the file does not exist. - if test -f .env.private; then + # Source credentials from AWS Secrets Manager (CI) or .env.private (local/Docker). + if test -n "${DRIVERS_TOOLS:-}" && test -f "${DRIVERS_TOOLS}/.evergreen/auth_aws/secrets-export.sh"; then + . "${DRIVERS_TOOLS}/.evergreen/auth_aws/secrets-export.sh" + elif test -f .env.private; then . ./.env.private fi diff --git a/.evergreen/run-tests-aws-auth.sh b/.evergreen/run-tests-aws-auth.sh index da508938ae..55827d5984 100755 --- a/.evergreen/run-tests-aws-auth.sh +++ b/.evergreen/run-tests-aws-auth.sh @@ -6,9 +6,10 @@ set +x . `dirname "$0"`/functions.sh -# When running in Evergreen, credentials are written to this file. -# In Docker they are already in the environment and the file does not exist. -if test -f .env.private; then +# Source credentials from AWS Secrets Manager (CI) or .env.private (local/Docker). +if test -n "${DRIVERS_TOOLS:-}" && test -f "${DRIVERS_TOOLS}/.evergreen/auth_aws/secrets-export.sh"; then + . "${DRIVERS_TOOLS}/.evergreen/auth_aws/secrets-export.sh" +elif test -f .env.private; then . ./.env.private fi From d232e34fee47e0b944ad1951a146a50f3270458e Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Wed, 20 May 2026 16:02:08 +0200 Subject: [PATCH 2/5] RUBY-3886 Migrate FLE/CSFLE test secrets to AWS Secrets Manager Replace the "export FLE credentials" Evergreen function that wrote secrets to .env.private with a subprocess.exec calling drivers-evergreen-tools csfle/setup-secrets.sh. This fetches FLE secrets from the drivers/csfle vault and generates temporary AWS credentials via setup_secrets.py, writing everything to secrets-export.sh in the task working directory. Update run-tests.sh to source secrets-export.sh and remap the vault variable names (FLE_AWS_KEY, FLE_AZURE_TENANTID, etc.) to the MONGO_RUBY_DRIVER_* names expected by the test suite. Remove the deprecated set-temp-creds.sh call. Non-secret FLE configuration (key ARNs, endpoints, key names) is passed via Evergreen expansion in the "run tests" function, which now exports MONGO_RUBY_DRIVER_AWS_REGION, MONGO_RUBY_DRIVER_AWS_ARN, and the Azure/GCP config vars directly. --- .evergreen/config.yml | 53 ++++++++++---------------------- .evergreen/config/common.yml.erb | 53 ++++++++++---------------------- .evergreen/run-tests.sh | 14 +++++++-- 3 files changed, 44 insertions(+), 76 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 0d6b8c0551..6d65afadd5 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -173,13 +173,6 @@ functions: working_dir: "src" script: | ${PREPARE_SHELL} - # Needed for generating temporary aws credentials. - if [ -n "${FLE}" ]; - then - export AWS_ACCESS_KEY_ID="${fle_aws_key}" - export AWS_SECRET_ACCESS_KEY="${fle_aws_secret}" - export AWS_DEFAULT_REGION="${fle_aws_region}" - fi export CSOT_SPEC_TESTS=1 unset TOPOLOGY export TOPOLOGY=${MLAUNCH_TOPOLOGY} @@ -201,33 +194,14 @@ functions: .evergreen/run-tests.sh "export FLE credentials": - - command: shell.exec + - command: subprocess.exec type: test params: - silent: true + binary: bash working_dir: "src" - script: | - cat < .env.private - MONGO_RUBY_DRIVER_AWS_KEY="${fle_aws_key}" - MONGO_RUBY_DRIVER_AWS_SECRET="${fle_aws_secret}" - MONGO_RUBY_DRIVER_AWS_REGION="${fle_aws_region}" - MONGO_RUBY_DRIVER_AWS_ARN="${fle_aws_arn}" - - MONGO_RUBY_DRIVER_AZURE_TENANT_ID="${fle_azure_tenant_id}" - MONGO_RUBY_DRIVER_AZURE_CLIENT_ID="${fle_azure_client_id}" - MONGO_RUBY_DRIVER_AZURE_CLIENT_SECRET="${fle_azure_client_secret}" - MONGO_RUBY_DRIVER_AZURE_IDENTITY_PLATFORM_ENDPOINT="${fle_azure_identity_platform_endpoint}" - MONGO_RUBY_DRIVER_AZURE_KEY_VAULT_ENDPOINT="${fle_azure_key_vault_endpoint}" - MONGO_RUBY_DRIVER_AZURE_KEY_NAME="${fle_azure_key_name}" - - MONGO_RUBY_DRIVER_GCP_EMAIL="${fle_gcp_email}" - MONGO_RUBY_DRIVER_GCP_PRIVATE_KEY="${fle_gcp_private_key}" - MONGO_RUBY_DRIVER_GCP_PROJECT_ID="${fle_gcp_project_id}" - MONGO_RUBY_DRIVER_GCP_LOCATION="${fle_gcp_location}" - MONGO_RUBY_DRIVER_GCP_KEY_RING="${fle_gcp_key_ring}" - MONGO_RUBY_DRIVER_GCP_KEY_NAME="${fle_gcp_key_name}" - MONGO_RUBY_DRIVER_MONGOCRYPTD_PORT="${fle_mongocryptd_port}" - EOT + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DRIVERS_TOOLS] + args: + - "${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh" "export Kerberos credentials": - command: shell.exec @@ -368,12 +342,17 @@ functions: working_dir: "src" script: | ${PREPARE_SHELL} - # Needed for generating temporary aws credentials. - if [ -n "${FLE}" ]; - then - export AWS_ACCESS_KEY_ID="${fle_aws_key}" - export AWS_SECRET_ACCESS_KEY="${fle_aws_secret}" - export AWS_DEFAULT_REGION="${fle_aws_region}" + if [ -n "${FLE}" ]; then + export MONGO_RUBY_DRIVER_AWS_REGION="${fle_aws_region}" + export MONGO_RUBY_DRIVER_AWS_ARN="${fle_aws_arn}" + export MONGO_RUBY_DRIVER_AZURE_IDENTITY_PLATFORM_ENDPOINT="${fle_azure_identity_platform_endpoint}" + export MONGO_RUBY_DRIVER_AZURE_KEY_VAULT_ENDPOINT="${fle_azure_key_vault_endpoint}" + export MONGO_RUBY_DRIVER_AZURE_KEY_NAME="${fle_azure_key_name}" + export MONGO_RUBY_DRIVER_GCP_PROJECT_ID="${fle_gcp_project_id}" + export MONGO_RUBY_DRIVER_GCP_LOCATION="${fle_gcp_location}" + export MONGO_RUBY_DRIVER_GCP_KEY_RING="${fle_gcp_key_ring}" + export MONGO_RUBY_DRIVER_GCP_KEY_NAME="${fle_gcp_key_name}" + export MONGO_RUBY_DRIVER_MONGOCRYPTD_PORT="${fle_mongocryptd_port}" fi unset TOPOLOGY export TOPOLOGY=${MLAUNCH_TOPOLOGY} diff --git a/.evergreen/config/common.yml.erb b/.evergreen/config/common.yml.erb index 53262db080..7fc828a1ef 100644 --- a/.evergreen/config/common.yml.erb +++ b/.evergreen/config/common.yml.erb @@ -170,13 +170,6 @@ functions: working_dir: "src" script: | ${PREPARE_SHELL} - # Needed for generating temporary aws credentials. - if [ -n "${FLE}" ]; - then - export AWS_ACCESS_KEY_ID="${fle_aws_key}" - export AWS_SECRET_ACCESS_KEY="${fle_aws_secret}" - export AWS_DEFAULT_REGION="${fle_aws_region}" - fi export CSOT_SPEC_TESTS=1 unset TOPOLOGY export TOPOLOGY=${MLAUNCH_TOPOLOGY} @@ -198,33 +191,14 @@ functions: .evergreen/run-tests.sh "export FLE credentials": - - command: shell.exec + - command: subprocess.exec type: test params: - silent: true + binary: bash working_dir: "src" - script: | - cat < .env.private - MONGO_RUBY_DRIVER_AWS_KEY="${fle_aws_key}" - MONGO_RUBY_DRIVER_AWS_SECRET="${fle_aws_secret}" - MONGO_RUBY_DRIVER_AWS_REGION="${fle_aws_region}" - MONGO_RUBY_DRIVER_AWS_ARN="${fle_aws_arn}" - - MONGO_RUBY_DRIVER_AZURE_TENANT_ID="${fle_azure_tenant_id}" - MONGO_RUBY_DRIVER_AZURE_CLIENT_ID="${fle_azure_client_id}" - MONGO_RUBY_DRIVER_AZURE_CLIENT_SECRET="${fle_azure_client_secret}" - MONGO_RUBY_DRIVER_AZURE_IDENTITY_PLATFORM_ENDPOINT="${fle_azure_identity_platform_endpoint}" - MONGO_RUBY_DRIVER_AZURE_KEY_VAULT_ENDPOINT="${fle_azure_key_vault_endpoint}" - MONGO_RUBY_DRIVER_AZURE_KEY_NAME="${fle_azure_key_name}" - - MONGO_RUBY_DRIVER_GCP_EMAIL="${fle_gcp_email}" - MONGO_RUBY_DRIVER_GCP_PRIVATE_KEY="${fle_gcp_private_key}" - MONGO_RUBY_DRIVER_GCP_PROJECT_ID="${fle_gcp_project_id}" - MONGO_RUBY_DRIVER_GCP_LOCATION="${fle_gcp_location}" - MONGO_RUBY_DRIVER_GCP_KEY_RING="${fle_gcp_key_ring}" - MONGO_RUBY_DRIVER_GCP_KEY_NAME="${fle_gcp_key_name}" - MONGO_RUBY_DRIVER_MONGOCRYPTD_PORT="${fle_mongocryptd_port}" - EOT + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DRIVERS_TOOLS] + args: + - "${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh" "export Kerberos credentials": - command: shell.exec @@ -365,12 +339,17 @@ functions: working_dir: "src" script: | ${PREPARE_SHELL} - # Needed for generating temporary aws credentials. - if [ -n "${FLE}" ]; - then - export AWS_ACCESS_KEY_ID="${fle_aws_key}" - export AWS_SECRET_ACCESS_KEY="${fle_aws_secret}" - export AWS_DEFAULT_REGION="${fle_aws_region}" + if [ -n "${FLE}" ]; then + export MONGO_RUBY_DRIVER_AWS_REGION="${fle_aws_region}" + export MONGO_RUBY_DRIVER_AWS_ARN="${fle_aws_arn}" + export MONGO_RUBY_DRIVER_AZURE_IDENTITY_PLATFORM_ENDPOINT="${fle_azure_identity_platform_endpoint}" + export MONGO_RUBY_DRIVER_AZURE_KEY_VAULT_ENDPOINT="${fle_azure_key_vault_endpoint}" + export MONGO_RUBY_DRIVER_AZURE_KEY_NAME="${fle_azure_key_name}" + export MONGO_RUBY_DRIVER_GCP_PROJECT_ID="${fle_gcp_project_id}" + export MONGO_RUBY_DRIVER_GCP_LOCATION="${fle_gcp_location}" + export MONGO_RUBY_DRIVER_GCP_KEY_RING="${fle_gcp_key_ring}" + export MONGO_RUBY_DRIVER_GCP_KEY_NAME="${fle_gcp_key_name}" + export MONGO_RUBY_DRIVER_MONGOCRYPTD_PORT="${fle_mongocryptd_port}" fi unset TOPOLOGY export TOPOLOGY=${MLAUNCH_TOPOLOGY} diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh index f1bd48a125..5aac2fd306 100755 --- a/.evergreen/run-tests.sh +++ b/.evergreen/run-tests.sh @@ -236,8 +236,18 @@ if test -n "$FLE"; then python3 -u .evergreen/csfle/fake_azure.py & python3 -u .evergreen/csfle/kms_failpoint_server.py --port 9003 & - # Obtain temporary AWS credentials - PYTHON=python3 . .evergreen/csfle/set-temp-creds.sh + # Source FLE credentials generated by csfle/setup-secrets.sh. + if test -f secrets-export.sh; then + # shellcheck disable=SC1091 + . ./secrets-export.sh + export MONGO_RUBY_DRIVER_AWS_KEY="${FLE_AWS_KEY}" + export MONGO_RUBY_DRIVER_AWS_SECRET="${FLE_AWS_SECRET}" + export MONGO_RUBY_DRIVER_AZURE_TENANT_ID="${FLE_AZURE_TENANTID}" + export MONGO_RUBY_DRIVER_AZURE_CLIENT_ID="${FLE_AZURE_CLIENTID}" + export MONGO_RUBY_DRIVER_AZURE_CLIENT_SECRET="${FLE_AZURE_CLIENTSECRET}" + export MONGO_RUBY_DRIVER_GCP_EMAIL="${FLE_GCP_EMAIL}" + export MONGO_RUBY_DRIVER_GCP_PRIVATE_KEY="${FLE_GCP_PRIVATEKEY}" + fi if [[ "$FLE" == "helper" || "$FLE" == "mongocryptd" ]]; then echo "Using helper gem" From f6ff160e2a7e984bf60457f991e78e1901c62dac Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Thu, 21 May 2026 08:05:04 +0200 Subject: [PATCH 3/5] RUBY-3888 Migrate Atlas connectivity secrets to AWS Secrets Manager MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace Evergreen project variable expansion for Atlas connection URIs and X.509 certificates with a call to drivers-evergreen-tools secrets_handling/setup-secrets.sh drivers/atlas_connect, matching the pattern used by the Python and Node drivers. Add "export Atlas credentials" function and wire it into the test-atlas task. Remove the eleven atlas_* Evergreen project variable references from "run Atlas tests" and from the setup-system expansion.yml block. Remove the atlas_serverless_uri / atlas_serverless_lb_uri references from "run Atlas tests" — those credentials are already sourced by run-tests-serverless.sh from the serverless secrets-export.sh. Update run-tests-atlas.sh to source secrets-export.sh so the ATLAS_* variables are available to the spec suite. --- .evergreen/config.yml | 27 +++++++++++++-------------- .evergreen/config/common.yml.erb | 27 +++++++++++++-------------- .evergreen/run-tests-atlas.sh | 5 +++++ 3 files changed, 31 insertions(+), 28 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 6d65afadd5..0357b30637 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -121,11 +121,6 @@ functions: export OCSP_CONNECTIVITY="${OCSP_CONNECTIVITY}" export OCSP_VERIFIER="${OCSP_VERIFIER}" - export ATLAS_REPLICA_SET_URI="${atlas_replica_set_uri}" - export ATLAS_SHARDED_URI="${atlas_sharded_uri}" - export ATLAS_FREE_TIER_URI="${atlas_free_tier_uri}" - export ATLAS_TLS11_URI="${atlas_tls11_uri}" - export ATLAS_TLS12_URI="${atlas_tls12_uri}" export RVM_RUBY="${RVM_RUBY}" EOT @@ -380,6 +375,17 @@ functions: ${PREPARE_SHELL} .evergreen/run-tests-kerberos-unit.sh + "export Atlas credentials": + - command: subprocess.exec + type: test + params: + binary: bash + working_dir: "src" + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DRIVERS_TOOLS] + args: + - "${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh" + - "drivers/atlas_connect" + "run Atlas tests": - command: shell.exec type: test @@ -389,15 +395,7 @@ functions: script: | ${PREPARE_SHELL} AUTH=${AUTH} SSL=${SSL} TOPOLOGY=${TOPOLOGY} RVM_RUBY="${RVM_RUBY}" \ - ATLAS_REPLICA_SET_URI=${atlas_replica_set_uri} ATLAS_SHARDED_URI=${atlas_sharded_uri} \ - ATLAS_FREE_TIER_URI=${atlas_free_tier_uri} ATLAS_TLS11_URI=${atlas_tls11_uri} \ - ATLAS_TLS12_URI=${atlas_tls12_uri} ATLAS_SERVERLESS_URI=${atlas_serverless_uri} \ - ATLAS_SERVERLESS_LB_URI=${atlas_serverless_lb_uri} \ - ATLAS_X509_CERT_BASE64="${atlas_x509_cert_base64}" \ - ATLAS_X509_URI="${atlas_x509}" \ - ATLAS_X509_DEV_CERT_BASE64="${atlas_x509_dev_cert_base64}" \ - ATLAS_X509_DEV_URI="${atlas_x509_dev}" \ - .evergreen/run-tests-atlas.sh + .evergreen/run-tests-atlas.sh pre: - func: assume-test-secrets-ec2-role @@ -599,6 +597,7 @@ tasks: - func: "run tests with orchestration and drivers tools" - name: "test-atlas" commands: + - func: "export Atlas credentials" - func: "run Atlas tests" - name: "test-mlaunch" commands: diff --git a/.evergreen/config/common.yml.erb b/.evergreen/config/common.yml.erb index 7fc828a1ef..6176951194 100644 --- a/.evergreen/config/common.yml.erb +++ b/.evergreen/config/common.yml.erb @@ -118,11 +118,6 @@ functions: export OCSP_CONNECTIVITY="${OCSP_CONNECTIVITY}" export OCSP_VERIFIER="${OCSP_VERIFIER}" - export ATLAS_REPLICA_SET_URI="${atlas_replica_set_uri}" - export ATLAS_SHARDED_URI="${atlas_sharded_uri}" - export ATLAS_FREE_TIER_URI="${atlas_free_tier_uri}" - export ATLAS_TLS11_URI="${atlas_tls11_uri}" - export ATLAS_TLS12_URI="${atlas_tls12_uri}" export RVM_RUBY="${RVM_RUBY}" EOT @@ -377,6 +372,17 @@ functions: ${PREPARE_SHELL} .evergreen/run-tests-kerberos-unit.sh + "export Atlas credentials": + - command: subprocess.exec + type: test + params: + binary: bash + working_dir: "src" + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, DRIVERS_TOOLS] + args: + - "${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh" + - "drivers/atlas_connect" + "run Atlas tests": - command: shell.exec type: test @@ -386,15 +392,7 @@ functions: script: | ${PREPARE_SHELL} AUTH=${AUTH} SSL=${SSL} TOPOLOGY=${TOPOLOGY} RVM_RUBY="${RVM_RUBY}" \ - ATLAS_REPLICA_SET_URI=${atlas_replica_set_uri} ATLAS_SHARDED_URI=${atlas_sharded_uri} \ - ATLAS_FREE_TIER_URI=${atlas_free_tier_uri} ATLAS_TLS11_URI=${atlas_tls11_uri} \ - ATLAS_TLS12_URI=${atlas_tls12_uri} ATLAS_SERVERLESS_URI=${atlas_serverless_uri} \ - ATLAS_SERVERLESS_LB_URI=${atlas_serverless_lb_uri} \ - ATLAS_X509_CERT_BASE64="${atlas_x509_cert_base64}" \ - ATLAS_X509_URI="${atlas_x509}" \ - ATLAS_X509_DEV_CERT_BASE64="${atlas_x509_dev_cert_base64}" \ - ATLAS_X509_DEV_URI="${atlas_x509_dev}" \ - .evergreen/run-tests-atlas.sh + .evergreen/run-tests-atlas.sh pre: - func: assume-test-secrets-ec2-role @@ -596,6 +594,7 @@ tasks: - func: "run tests with orchestration and drivers tools" - name: "test-atlas" commands: + - func: "export Atlas credentials" - func: "run Atlas tests" - name: "test-mlaunch" commands: diff --git a/.evergreen/run-tests-atlas.sh b/.evergreen/run-tests-atlas.sh index 2b2298c48a..d564ef6245 100755 --- a/.evergreen/run-tests-atlas.sh +++ b/.evergreen/run-tests-atlas.sh @@ -28,5 +28,10 @@ echo "Running specs" export ATLAS_TESTING=1 +if test -f secrets-export.sh; then + # shellcheck disable=SC1091 + . ./secrets-export.sh +fi + bundle exec rspec spec/atlas \ --format Rfc::Riff --format RspecJunitFormatter --out tmp/rspec.xml From 0bd8802cce576fe7f4e81d34d42536d6fabdfaf6 Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Wed, 27 May 2026 15:07:19 +0200 Subject: [PATCH 4/5] RUBY-3888 Map vault variable names to Ruby driver expected names The drivers/atlas_connect vault exports ATLAS_REPL, ATLAS_SHRD, etc. (shared naming with Python/Node), but the Ruby spec expects ATLAS_REPLICA_SET_URI, ATLAS_SHARDED_URI, etc. --- .evergreen/run-tests-atlas.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.evergreen/run-tests-atlas.sh b/.evergreen/run-tests-atlas.sh index d564ef6245..038adcb56c 100755 --- a/.evergreen/run-tests-atlas.sh +++ b/.evergreen/run-tests-atlas.sh @@ -31,6 +31,14 @@ export ATLAS_TESTING=1 if test -f secrets-export.sh; then # shellcheck disable=SC1091 . ./secrets-export.sh + # Map from vault variable names (shared with Python/Node) to Ruby driver expected names. + export ATLAS_REPLICA_SET_URI="${ATLAS_REPL}" + export ATLAS_SHARDED_URI="${ATLAS_SHRD}" + export ATLAS_FREE_TIER_URI="${ATLAS_FREE}" + export ATLAS_TLS11_URI="${ATLAS_TLS11}" + export ATLAS_TLS12_URI="${ATLAS_TLS12}" + export ATLAS_X509_URI="${ATLAS_X509}" + export ATLAS_X509_DEV_URI="${ATLAS_X509_DEV}" fi bundle exec rspec spec/atlas \ From cfc78af895391abbc9401fd30c5fb04ea666d550 Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Wed, 27 May 2026 15:44:57 +0200 Subject: [PATCH 5/5] RUBY-3888 Unset empty AWS_SESSION_TOKEN after sourcing secrets-export.sh csfle/setup_secrets.py writes AWS_SESSION_TOKEN="" into secrets-export.sh to neutralize any ambient session token before its STS call. Sourcing that file sets the variable to an empty string, which libmongocrypt then passes to AWS KMS as an empty security token, causing on-demand credential discovery to fail. Unset the variable when it is empty so libmongocrypt performs credential discovery without a session token. --- .evergreen/run-tests.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh index 5aac2fd306..3b13f4f1bd 100755 --- a/.evergreen/run-tests.sh +++ b/.evergreen/run-tests.sh @@ -240,6 +240,9 @@ if test -n "$FLE"; then if test -f secrets-export.sh; then # shellcheck disable=SC1091 . ./secrets-export.sh + # setup-secrets.sh sets AWS_SESSION_TOKEN="" for long-lived keys. Unset it + # so the driver does not include an empty security token in KMS requests. + [ -z "${AWS_SESSION_TOKEN:-}" ] && unset AWS_SESSION_TOKEN export MONGO_RUBY_DRIVER_AWS_KEY="${FLE_AWS_KEY}" export MONGO_RUBY_DRIVER_AWS_SECRET="${FLE_AWS_SECRET}" export MONGO_RUBY_DRIVER_AZURE_TENANT_ID="${FLE_AZURE_TENANTID}"