Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: will now work with canary-release plugin #41

Merged
merged 3 commits into from
Aug 9, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@

This plugin will sign a request with AWS SIGV4 and temporary credentials from `sts.amazonaws.com` requested using an OAuth token.

It enables the secure use of AWS Lambdas as upstreams in Kong using [Lambda URLs](https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/).
It enables the secure use of AWS [Lambda URLs](https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/) being registered as "Host" in a Kong service.

At the same time it drives down cost and complexity by excluding the AWS API Gateway and allowing to use AWS Lambdas directly.

The required AWS setup to make the plugin work with your Lambda HTTPS endpoint is described below.

Note that this plugin cannot be used in combination with Kong [upstreams](https://docs.konghq.com/gateway/latest/get-started/load-balancing/).

## Plugin configuration parameters

```lua
Expand Down Expand Up @@ -111,8 +113,8 @@ plugins:

## Signing requests containing a body

In case of requests contanining a body, the plugin is highly reliant on the nginx configuration, because it neets to access the body to sign it.
The behaviour is controlled by the following Kong configuration parameters:
In case of requests containing a body, the plugin is highly reliant on the nginx configuration, because it needs to access the body to sign it.
The behavior is controlled by the following Kong configuration parameters:

```text
nginx_http_client_max_body_size
Expand All @@ -135,7 +137,7 @@ The default value for max body size is `0`, which means unlimited, so consider s
</details>

2. Your OpenID Connect provider is added to [AWS IAM](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/identity_providers)
3. You have a role with `arn:aws:iam::aws:policy/AWSLambda_FullAccess` and/or `arn:aws:iam::aws:policy/AmazonS3FullAccess` permision (or any other permision that grants access to your desired AWS service ) and the trust relationship below:
3. You have a role with `arn:aws:iam::aws:policy/AWSLambda_FullAccess` and/or `arn:aws:iam::aws:policy/AmazonS3FullAccess` permission (or any other permission that grants access to your desired AWS service ) and the trust relationship below:

<details>
<summary>Show JSON</summary>
Expand Down
4 changes: 2 additions & 2 deletions kong/plugins/aws-request-signing/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ end
function AWSLambdaSTS:access(conf)
local service = kong.router.get_service()
local request_headers = kong.request.get_headers()
local final_host = conf.override_target_host or service.host
local final_host = conf.override_target_host or ngx.ctx.balancer_data.host

if service == nil then
kong.log.err("Unable to retrieve bound service!")
Expand Down Expand Up @@ -188,7 +188,7 @@ function AWSLambdaSTS:access(conf)
kong.service.request.set_raw_query(signed_request.query)
end

AWSLambdaSTS.PRIORITY = 110
AWSLambdaSTS.PRIORITY = 15
AWSLambdaSTS.VERSION = "1.0.5"

return AWSLambdaSTS
Loading