DOCSP-24872 adds FLE options (#234)

jmd-mongo · web-flow · commit 0423dbceef5b · 2022-08-31T10:28:35.000-04:00
* DOCSP-24872 adds FLE options * internal review feedback * links instances of "AWS" where appropriate
diff --git a/source/reference/options.txt b/source/reference/options.txt
@@ -27,7 +27,7 @@ General Options
 
    Evaluates a JavaScript expression. You can use a single ``--eval``
    argument or multiple ``--eval`` arguments together.
-   
+
    After ``mongosh`` evaluates the ``--eval`` argument, it prints the
    results to your command line. If you use multiple ``--eval``
    statements, ``mongosh`` only prints the results of the last
@@ -149,7 +149,7 @@ Connection Options
       .. example::
 
          .. code-block:: none
-   
+
             mongodb+srv://server.example.com/?connectionTimeout=3000ms
 
 .. option:: --port <port>
@@ -212,7 +212,7 @@ TLS Options
    .. include:: /includes/fact-ssl-see-more.rst
 
 .. option:: --tlsCAFile <filename>
-  
+
    Specifies the :file:`.pem` file that contains the root certificate
    chain from the Certificate Authority. This file is used to validate
    the certificate presented by the
@@ -394,7 +394,7 @@ Authentication Options
    .. note::
 
       Starting in version 4.0:
-   
+
       - MongoDB removes support for the deprecated MongoDB
         Challenge-Response (``MONGODB-CR``) authentication mechanism.
 
@@ -464,9 +464,9 @@ Authentication Options
    - ``forwardAndReverse``, performs a forward DNS lookup and then a
      reverse lookup. New in ``mongosh`` 1.3.0.
    - ``forward``, the effect is the same as setting
-     ``authMechanismProperties=CANONICALIZE_HOST_NAME:true``.    
+     ``authMechanismProperties=CANONICALIZE_HOST_NAME:true``.
    - ``none``, the effect is the same as setting
-     ``authMechanismProperties=CANONICALIZE_HOST_NAME:false``.    
+     ``authMechanismProperties=CANONICALIZE_HOST_NAME:false``.
 
 .. option:: --password <password>, -p <password>
 
@@ -507,6 +507,88 @@ Session Options
 Client-Side Field Level Encryption Options
 ------------------------------------------
 
-For information on Client-Side Field Level Encryption Options,
-refer to the :manual:`MongoDB Manual
-</reference/program/mongo/#client-side-field-level-encryption-options>`.
+.. option:: --awsAccessKeyId <string>
+
+   An `AWS Access Key 
+   <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html>`__
+   associated with an IAM user who has ``List`` and ``Read`` permissions 
+   for the AWS Key Management Service (KMS). :program:`mongosh` uses the 
+   specified :option:`--awsAccessKeyId` to access the KMS. 
+
+   :option:`--awsAccessKeyId` is required to enable 
+   :ref:`manual-csfle-feature` for the :program:`mongosh` shell session. 
+   :option:`--awsAccessKeyId` requires *both* of the following command 
+   line options:
+
+   - :option:`--awsSecretAccessKey` 
+   - :option:`--keyVaultNamespace`
+
+   If :option:`--awsAccessKeyId` is omitted, use the :method:`Mongo()` 
+   constructor within the shell session to enable client-side field 
+   level encryption.
+
+   To mitigate the risk of leaking access keys into logs, consider 
+   specifying an environmental variable to :option:`--awsAccessKeyId`. 
+
+.. option:: --awsSecretAccessKey <string>
+
+   An `AWS Secret Key 
+   <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html>`__
+   associated to the specified :option:`--awsAccessKeyId`.
+
+   :option:`--awsSecretAccessKey` is required to enable
+   :ref:`manual-csfle-feature` for the :program:`mongosh` session. 
+   :option:`--awsSecretAccessKey` requires *both* of the following
+   command line options:
+
+   - :option:`--awsAccessKeyId` 
+   - :option:`--keyVaultNamespace`
+
+   If :option:`--awsSecretAccessKey` and its supporting options are
+   omitted, use :method:`Mongo()` within the shell session to enable
+   client-side field level encryption.
+
+   To mitigate the risk of leaking access keys into logs, consider 
+   specifying an environmental variable to 
+   :option:`--awsSecretAccessKey`. 
+
+.. option:: --awsSessionToken <string>
+
+   An `AWS Session Token 
+   <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html>`__
+   associated to the specified :option:`--awsAccessKeyId`.
+
+   :option:`--awsSessionToken` is required to enable
+   :ref:`manual-csfle-feature` for the :program:`mongosh` shell session. 
+   :option:`--awsSessionToken` requires *all* of the following command 
+   line options:
+
+   - :option:`--awsAccessKeyId` 
+   - :option:`--awsSecretAccessKey`
+   - :option:`--keyVaultNamespace`
+
+   If :option:`--awsSessionToken` and its supporting options are 
+   omitted, use :method:`Mongo()` within the shell session to enable 
+   client-side field level encryption.
+
+   To mitigate the risk of leaking access keys into logs, consider 
+   specifying an environmental variable to :option:`--awsSessionToken`. 
+
+.. option:: --keyVaultNamespace <string>
+
+   The full namespace (``<database>.<collection>``) of the collection 
+   used as a key vault for :ref:`manual-csfle-feature`. 
+   :option:`--keyVaultNamespace` is required for enabling client-side 
+   field level encryption. for the :program:`mongosh` shell session. 
+   :program:`mongosh` creates the specified namespace if it does not
+   exist.
+
+   :option:`--keyVaultNamespace` requires *both* of the following 
+   command line options:
+
+   - :option:`--awsAccessKeyId` 
+   - :option:`--awsSecretAccessKey`
+
+   If :option:`--keyVaultNamespace` and its supporting options are 
+   omitted, use the :method:`Mongo()` constructor within the shell 
+   session to enable client-side field level encryption.
