fix(aws-lambda-plugin)! Use AWS SigV4, require AWS region, allow custom lambda hosts #8082
Conversation
|
|
|
If the region now is required, then this is a breaking change. And even then I don't see how we can add that info with a migration. pinging the migrations/breaking change master; @mikefero |
|
@Tieske @aboudreault @kikito - what is the status of this PR? |
|
doesn't seem like we can merge this feature due to the breaking change mentioned. We cannot really guess the region if none is provided in the config. Options:
However, we are probably too short to include this in 2.8. |
|
This did not make it into 2.8, I am clearing its milestone |
tyler-ball
force-pushed
the
fix/aws-lambda-plugin
branch
from
5cbe8b5
to
4c4a733
Compare
|
Rebased off master |
tyler-ball
force-pushed
the
fix/aws-lambda-plugin
branch
from
b260b32
to
d2fa5bf
Compare
mikefero
added
the
version-compatibility
|
Some context for reviewers: AWS SigV4 was released in 2012. It replaces SigV2, which was deprecated in 2020. |
|
@segabond As we now target this for 3.0 with the go-with-breaking-change approach, could you add this to the changelog? (and also rebase upon master to run CI again) |
| -- if this is an AWS request, sign it | ||
| if region then |
There was a problem hiding this comment.
The change will break the fix for Kong/kong-plugin-aws-lambda#60. Probably you should leave it there.
…equests be signed [FTI-2928]
…ied in env) Signed-off-by: Tyler Ball <tyler.ball@konghq.com>
mayocream
force-pushed
the
fix/aws-lambda-plugin
branch
from
d2fa5bf
to
a22640b
Compare
mayocream
added
pr/ready
| if not region and not host then | ||
| return error("no region or host specified") | ||
| if not region then | ||
| return error("no region specified") |
There was a problem hiding this comment.
For other people's reference: this is a breaking change. This conditional makes conf.aws_region mandatory, in effect.
The reason why we don't make it mandatory on the schema is that we also accept setting it via the AWS_REGION env var, and our schemas don't support doing that automatically.
kikito
changed the title
Summary
As per FTI-2928, customer uses Kong in front of AWS lambda in the isolated gov AWS region. Such regions use custom service endpoints, therefore customer uses
hostconfiguration to override it. Since config schema does not allow both host and region be supplied simultaneously, it is impossible to correctly sign the request using AWS SigV4 algorithm. The correct implementation of such plugin should allow bothaws_regionandhostbe supplied, asaws_regionis a mandatory field for SigV4 signature algo.Full changelog
Issues resolved
Fix FTI-2928