Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19912

AWS KMS Plugin - Make KMS Endpoint Configurable

    XMLWordPrintable

Details

    Description

      Background

      In our infrastructure, generally we don't give servers internet access for security reasons. However, when we use the AWS KMS encryption plugin, we find that it becomes necessary to make firewall exceptions so that the plugin can connect to the AWS API.

      AWS provides VPC endpoints, which can be configured on static internal IPs within the VPC. These can be reached both within the VPC as well as from on-premise installations connected by VPN/AWS Direct Connect.

      We would like to be able to configure the AWS KMS plugin, so that it sends its requests to a specific internal endpoint, so that we don't have to give our servers internet access.

      Acceptance Criteria

      • AWS Key Management Plugin has a new optional parameter: endpoint-url
        • If this parameter is not configured, the plugin should connect to the public endpoints as it currently does
        • If endpoint-url is configured, the plugin should send requests to the specified URL instead of the public endpoints.

      If this is added, can consider backporting to MariaDB server 10.3 as well?

      Further reading:
      https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html

      Attachments

        Activity

          People

            Unassigned Unassigned
            stephen.hames Stephen Hames
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.