Background

In our infrastructure, generally we don't give servers internet access for security reasons. However, when we use the AWS KMS encryption plugin, we find that it becomes necessary to make firewall exceptions so that the plugin can connect to the AWS API.

AWS provides VPC endpoints, which can be configured on static internal IPs within the VPC. These can be reached both within the VPC as well as from on-premise installations connected by VPN/AWS Direct Connect.

We would like to be able to configure the AWS KMS plugin, so that it sends its requests to a specific internal endpoint, so that we don't have to give our servers internet access.

Acceptance Criteria

• AWS Key Management Plugin has a new optional parameter: endpoint-url
  • If this parameter is not configured, the plugin should connect to the public endpoints as it currently does
  • If endpoint-url is configured, the plugin should send requests to the specified URL instead of the public endpoints.

If this is added, can consider backporting to MariaDB server 10.3 as well?

Further reading:
https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html