KMS providers are specified as a string of the form ``<KMS provider type>`` or ``<KMS provider type>:<KMS provider name>``.
The supported KMS provider types are ``aws``, ``azure``, ``gcp``, ``local``, and ``kmip``. The optional name enables configuring multiple KMS providers with the same KMS provider type (e.g. ``aws:name1`` and ``aws:name2`` can refer to different AWS accounts).
At least one KMS provider must be specified.

Supported forms of the KMS provider type ``aws`` include:

.. code-block:: javascript

   aws: {
      accessKeyId: String,
      secretAccessKey: String
   }

   // To pass temporary credentials:
   aws: {
      accessKeyId: String,
      secretAccessKey: String
      sessionToken: String
   }

   // To request credentials from the environment:
   aws: {}

Supported forms of the KMS provider type ``local`` include:

.. code-block:: javascript

   local: {
      // key is used to encrypt/decrypt data keys:
      key: "<96 byte BSON binary of subtype 0>" or String // May be passed as a base64 encoded string.
   }

Supported forms of the KMS provider type ``azure`` include:

.. code-block:: javascript

   azure: {
      tenantId: String,
      clientId: String,
      clientSecret: String,
      identityPlatformEndpoint: Optional<String> // Defaults to login.microsoftonline.com
   }

   // To pass an accessToken directly:
   azure: {
      accessToken: String
   }

   // To request credentials from the environment:
   azure: {}

Supported forms of the KMS provider type ``gcp`` include:

.. code-block:: javascript

   gcp: {
      email: String,
      privateKey: byte[] or String, // May be passed as a base64 encoded string.
      endpoint: Optional<String> // Defaults to oauth2.googleapis.com
   }

   // To pass an accessToken directly:
   gcp: {
      accessToken: String
   }

   // To request credentials from the environment:
   gcp: {}

Supported forms of the KMS provider type ``kmip`` include:

.. code-block:: javascript

   kmip: {
      endpoint: String
   }

KMS providers may include an optional name suffix separate with a colon. This enables configuring multiple KMS providers with the same KMS provider type. Example:

.. code-block:: javascript

   "aws:name1": {
      accessKeyId: String,
      secretAccessKey: String
   },
   "aws:name2": {
      accessKeyId: String,
      secretAccessKey: String
   }
