feat(DRIVERS-2903): use custom aws configuration

[durran]

Adds section to auth spec and CSFLE spec on allowing user provided custom credential providers for AWS and notes on testing.

Node implementation: mongodb/node-mongodb-native#4373

• Update changelog.
• Test changes in at least one language driver.
• Test these changes against all server versions and topologies (including standalone, replica set, sharded
  clusters, and serverless).

[jyemin]

Just a few quick edits while I perused this.

[jyemin]

Since this needs to be supported in FLE as well, I think we need to update the FLE spec and specify how to configure the "aws" kms provider. Consider adding a similar property with same semantics to AWSKMSOptions in https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.md#kmsproviders.

(While in some drivers you might be able to apply an auth mechanism property to FLE, in Java that isn't possible as auth mechanism properties are associated with a credential, not the MongoClient, and the credential of the MongoClient might not even be an AWS credential (or could be a different one).

[durran]

Since this needs to be supported in FLE as well, I think we need to update the FLE spec as well and specify how to configure the "aws" kms provider. Consider adding a similar property with same semantics to AWSKMSOptions in https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.md#kmsproviders.

(While in some drivers you might be able to apply an auth mechanism property to FLE, in Java that isn't possible as auth mechanism properties are associated with a credential, not the MongoClient, and the credential of the MongoClient might not even be an AWS credential (or could be a different one).

@kevinAlbs Do you have thoughts on this? Would there be a case where auto-encryption could want a different AWS credential provider than the associated MongoClient. (With ClientEncryption this is already possible since it has its own MongoClient)

[baileympearson]

@durran What about users who aren't using AWS authentication for their clients but want to use AWS automatic KMS credential fetching with a custom provider? I don't think Node would support that without a provider option for KMS specifically.

[baileympearson]

@durran What about users who aren't using AWS authentication for their clients but want to use AWS automatic KMS credential fetching with a custom provider? I don't think Node would support that without a provider option for KMS specifically.

[durran]

@durran What about users who aren't using AWS authentication for their clients but want to use AWS automatic KMS credential fetching with a custom provider? I don't think Node would support that without a provider option for KMS specifically.

That's a good point and I think a valid use case. I'll update everything accordingly.

[blink1073]

cc @kevinAlbs since this affects Client Encryption options

[baileympearson]

LGTM, two minor clarifying comments. I'm not an auth or FLE spec owner though.

[durran]

Pinging @jyemin as Java has an interest here. @kevinAlbs as I've added FLE options for the custom credential providers.

[blink1073]

LGTM!

[jyemin]

I'm not sure how we will define the types in the Java driver, as applications are allowed to use either AWS SDK v1 or v2, and those dependencies are optional so the types can't be part of the API. But we will figure out a way to make it work.

[kevinAlbs]

LGTM! Suggested wording changes, but nothing behavior changing.