Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(aws-lambda) add support for assume role based on metadata credentials #8900

Merged
merged 4 commits into from
Jun 6, 2022
Merged

feat(aws-lambda) add support for assume role based on metadata credentials #8900

merged 4 commits into from
Jun 6, 2022

Conversation

windmgc
Copy link
Member

@windmgc windmgc commented Jun 3, 2022
edited
Loading

Summary

This PR adds support for assuming role based on EC2/ECS metadata credentials.

Currently, the aws-lambda plugin does not support cross-account invoking. To achieve that we need to add support for assuming roles based on EC2/ECS metadata credentials. After fetching the metadata credentials, it'll make an additional request to AWS's STS service to ask to assume role.

Codes in the iam-sts-credentials.lua originated from an old PR, I re-arranged it and picked up part of the function that I need.

Note that this is a short term plan to support FTI-3291 as it does not modify much of the code. Hoping to catch the last train of Version 3.0. In the long term perspective, I think all the codes related to fetching AWS credentials should be rebuilt based on https://github.com/Kong/lua-resty-aws, the library has complete support for AWS environment credential functions(ENV vars, configs, etc.)

Full changelog

  • Add implementation of AssumeRole.
  • Add two params for lambda function plugin, aws_assume_role_arn and aws_role_session_name.

Issue reference

Fix FTI-3291

@windmgc windmgc requested a review from a team as a code owner June 3, 2022 16:33
@windmgc
Copy link
Member Author

windmgc commented Jun 3, 2022
edited
Loading

need to add tests for sts function
done

@windmgc windmgc force-pushed the feat-aws-lambda-assume-role branch from 79091c6 to 211625b Compare June 4, 2022 17:18
@fffonion fffonion merged commit 819d316 into Kong:master Jun 6, 2022
@windmgc windmgc mentioned this pull request Jun 7, 2022
Merged
@windmgc windmgc added this to the 3.0 milestone Jun 9, 2022
@windmgc windmgc mentioned this pull request Sep 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fffonion fffonion fffonion approved these changes

Assignees
No one assigned
Labels
plugins/aws-lambda size/L
Projects
None yet
Milestone
3.0
Development

Successfully merging this pull request may close these issues.
2 participants
@windmgc @fffonion