MongoDB(Mongo atlas) Client-side Field level encryption with AWS lambda

Question

I am trying to implement MongoDB Client-side Field level encryption inside aws lambda function. Getting an error

MongoServerSelectionError: connect ECONNREFUSED 127.0.0.1:27020

I am trying to create a secure connection as below

const keyVaultNamespace = "{Collection-name}.__keyVault";
const tmpPath = path.resolve(process.env.LAMBDA_TASK_ROOT, "../../tmp");
process.env.LD_LIBRARY_PATH = `${process.env.LD_LIBRARY_PATH}:${process.env.LAMBDA_TASK_ROOT}/lib`;

this.secureClient = new MongoClient(`{Mongo atlas URI}`, {
                    useNewUrlParser: true,
                    useUnifiedTopology: true,
                    autoEncryption: {
                        keyVaultNamespace,
                        kmsProviders,
                        schemaMap: accountsSchema,
                        extraOptions: {
                            mongocryptdSpawnArgs: [`--pidfilepath=${tmpPath}/mongocryptd.pid`],
                            mongocryptdSpawnPath: `${process.env.LAMBDA_TASK_ROOT}/bin/mongocryptd`,
                        }
                    },
                });
                await this.secureClient.connect();

I am trying to connect to my MongoDB Atlas.

The error says that mongocryptd process is not launched. Is this path `${process.env.LAMBDA_TASK_ROOT}/bin/mongocryptd`` accessible from lambda? — dododo, Feb 21 '23 at 14:36

score 0 · Answer 1 · answered Feb 21 '23 at 19:27

0

The error says that mongocryptd process is not launched. Is this path ${process.env.LAMBDA_TASK_ROOT}/bin/mongocryptd accessible from lambda? It looks like no. However I would recommend using a shared library instead mongocryptd daemon that fully supersedes mongocryptd and doesn't require spawning a daemon. See this article about how it can be configured. You need to configure cryptSharedLibPath instead mongocryptdSpawn* options

answered Feb 21 '23 at 19:27

dododo

3,872
1
14
37

thanks for the reply @dododo. But "${process.env.LAMBDA_TASK_ROOT}/bin/mongocryptd" is accesible from lambda. – Pruthwiraj Nayak Feb 23 '23 at 05:56
Again "Automatic Encryption Shared Library" comes under "Queryable Encryption", which is not recommended for production. Can we have other option available? – Pruthwiraj Nayak Feb 23 '23 at 06:03
`" is accesible from lambda.` - I'm not too familiar with lambda, but I think there is something in that part. Maybe daemon can't be launched. Maybe it's launched in one container, but you're querying from another one. Remember mongocryptd is supposed to be a `local` process. `which is not recommended for production` - that is not true AFAIK. Yes, QE is in beta at this point, but shared library is not part of it, it's a different functionality – dododo Feb 23 '23 at 12:23
as a check, you can try spawning mongocryptd manually (like via Process.Start) on let's say a port 27020. And then query this daemon as a regular server via MongoClient: `var client = new MongoClient("mongodb://localhost:27020"); client.GetDatabase("admin").RunCommand("{ isMaster : 1}");` and see whether it will be accessible – dododo Feb 23 '23 at 12:33

MongoDB(Mongo atlas) Client-side Field level encryption with AWS lambda

1 Answers1

Linked