kong icon indicating copy to clipboard operation
kong copied to clipboard
Published 4 weeks ago verified publisher icon Kong

feat: add support for AssumeRoleWithWebIdentity for lambda plugin

Open backjo opened this issue 3 years ago • 4 comments

Summary

This PR adds support for using IAM Roles for Service Account credentials within the AWS Lambda plugin. This allows users on EKS to invoke the lambda plugin without static credentials.

backjo avatar Apr 27 '22 19:04 backjo

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Apr 27 '22 19:04 CLAassistant

Functionality wise this looks good.

Implementation wise I'm wondering whether we should replace all the auth related stuff with the SDK, see https://github.com/Kong/lua-resty-aws . It features full configuration support based on AWS CLI compatible settings, including profiles etc. As well as multiple authentications, most notably the ProviderCredentialChain.

@RobSerafini fyi; the aws sdk will be included in 3.0 as an underlying lib for accessing AWS Secrets Manager afaik, but @bungle probably knows best.

Tieske avatar May 13 '22 11:05 Tieske

Yeah, I think delegating to the SDK is probably long-term the best move. It's the behavior folks generally expect when any tool integrates with AWS for access

backjo avatar May 16 '22 16:05 backjo

we have implemented this functionality as its own plugin https://github.com/lego/kong-aws-request-signing

giovannidegani avatar Sep 20 '22 19:09 giovannidegani