From 07b4778d19f8f8a60d78805f030c781e13fbd4ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20Hafstr=C3=B8m=20Johnsen?= Date: Thu, 8 Aug 2024 12:28:29 +0200 Subject: [PATCH 1/3] will now work with canary-release plugin --- Readme.md | 10 ++++++---- kong/plugins/aws-request-signing/handler.lua | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Readme.md b/Readme.md index fa56819..769d298 100644 --- a/Readme.md +++ b/Readme.md @@ -6,12 +6,14 @@ This plugin will sign a request with AWS SIGV4 and temporary credentials from `sts.amazonaws.com` requested using an OAuth token. -It enables the secure use of AWS Lambdas as upstreams in Kong using [Lambda URLs](https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/). +It enables the secure use of AWS [Lambda URLs](https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/) being registered as "Host" in a Kong service. At the same time it drives down cost and complexity by excluding the AWS API Gateway and allowing to use AWS Lambdas directly. The required AWS setup to make the plugin work with your Lambda HTTPS endpoint is described below. +Note that this plugin cannot be used in combination with Kong [upstreams](https://docs.konghq.com/gateway/latest/get-started/load-balancing/). + ## Plugin configuration parameters ```lua @@ -111,8 +113,8 @@ plugins: ## Signing requests containing a body -In case of requests contanining a body, the plugin is highly reliant on the nginx configuration, because it neets to access the body to sign it. -The behaviour is controlled by the following Kong configuration parameters: +In case of requests containing a body, the plugin is highly reliant on the nginx configuration, because it needs to access the body to sign it. +The behavior is controlled by the following Kong configuration parameters: ```text nginx_http_client_max_body_size @@ -135,7 +137,7 @@ The default value for max body size is `0`, which means unlimited, so consider s 2. Your OpenID Connect provider is added to [AWS IAM](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/identity_providers) -3. You have a role with `arn:aws:iam::aws:policy/AWSLambda_FullAccess` and/or `arn:aws:iam::aws:policy/AmazonS3FullAccess` permision (or any other permision that grants access to your desired AWS service ) and the trust relationship below: +3. You have a role with `arn:aws:iam::aws:policy/AWSLambda_FullAccess` and/or `arn:aws:iam::aws:policy/AmazonS3FullAccess` permission (or any other permission that grants access to your desired AWS service ) and the trust relationship below:
Show JSON diff --git a/kong/plugins/aws-request-signing/handler.lua b/kong/plugins/aws-request-signing/handler.lua index f62ab95..ab23d4a 100644 --- a/kong/plugins/aws-request-signing/handler.lua +++ b/kong/plugins/aws-request-signing/handler.lua @@ -103,7 +103,7 @@ end function AWSLambdaSTS:access(conf) local service = kong.router.get_service() local request_headers = kong.request.get_headers() - local final_host = conf.override_target_host or service.host + local final_host = conf.override_target_host or ngx.ctx.balancer_data.host if service == nil then kong.log.err("Unable to retrieve bound service!") @@ -188,7 +188,7 @@ function AWSLambdaSTS:access(conf) kong.service.request.set_raw_query(signed_request.query) end -AWSLambdaSTS.PRIORITY = 110 +AWSLambdaSTS.PRIORITY = 15 AWSLambdaSTS.VERSION = "1.0.5" return AWSLambdaSTS From 2476bbb9558b9bb6a166284df7e50657a0baab8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20Hafstr=C3=B8m=20Johnsen?= Date: Thu, 8 Aug 2024 13:47:01 +0200 Subject: [PATCH 2/3] bumping version number --- ....0.5-3.rockspec => kong-aws-request-signing-1.0.6-3.rockspec | 2 +- kong/plugins/aws-request-signing/handler.lua | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename kong-aws-request-signing-1.0.5-3.rockspec => kong-aws-request-signing-1.0.6-3.rockspec (97%) diff --git a/kong-aws-request-signing-1.0.5-3.rockspec b/kong-aws-request-signing-1.0.6-3.rockspec similarity index 97% rename from kong-aws-request-signing-1.0.5-3.rockspec rename to kong-aws-request-signing-1.0.6-3.rockspec index fde8c43..efed839 100644 --- a/kong-aws-request-signing-1.0.5-3.rockspec +++ b/kong-aws-request-signing-1.0.6-3.rockspec @@ -1,6 +1,6 @@ local plugin_name = "aws-request-signing" local package_name = "kong-" .. plugin_name -local package_version = "1.0.5" +local package_version = "1.0.6" local rockspec_revision = "3" local github_account_name = "LEGO" diff --git a/kong/plugins/aws-request-signing/handler.lua b/kong/plugins/aws-request-signing/handler.lua index ab23d4a..499005d 100644 --- a/kong/plugins/aws-request-signing/handler.lua +++ b/kong/plugins/aws-request-signing/handler.lua @@ -189,6 +189,6 @@ function AWSLambdaSTS:access(conf) end AWSLambdaSTS.PRIORITY = 15 -AWSLambdaSTS.VERSION = "1.0.5" +AWSLambdaSTS.VERSION = "1.0.6" return AWSLambdaSTS From cb430077d02061cb9601ff266904a6c6512005e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20Hafstr=C3=B8m=20Johnsen?= Date: Thu, 8 Aug 2024 15:43:18 +0200 Subject: [PATCH 3/3] clarifying purpose in readme --- Readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index 769d298..e9356ca 100644 --- a/Readme.md +++ b/Readme.md @@ -6,7 +6,7 @@ This plugin will sign a request with AWS SIGV4 and temporary credentials from `sts.amazonaws.com` requested using an OAuth token. -It enables the secure use of AWS [Lambda URLs](https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/) being registered as "Host" in a Kong service. +The AWS SIGV4 signature enables secure proxying directly towards AWS services such as [Lambda URLs](https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/). At the same time it drives down cost and complexity by excluding the AWS API Gateway and allowing to use AWS Lambdas directly. @@ -33,7 +33,7 @@ aws_service - AWS Service you are trying to access (lambda and s3 were tested) type = "string" required = true -override_target_host - To be used when deploying multiple lambdas on a single Kong service (because lambdas have differennt URLs) +override_target_host - To be used when deploying multiple lambdas on a single Kong service (because lambdas have different URLs) type = "string" required = false