envoy icon indicating copy to clipboard operation
envoy copied to clipboard
verified publisher icon envoyproxy

Multi region routing for AWS Lambda Filter

Open sdlevi27 opened this issue 3 years ago • 2 comments

Title: Enable multi region routing for AWS Lambda Filter

Description: Currently, the target cluster's Lambda endpoint must match the region specified in the ARN defined in envoy.filters.http.aws_lambda on the HTTP filter chain. We have a use case where an HTTP listener may need to route Lambda requests to multiple regions, using type.googleapis.com/envoy.extensions.filters.http.aws_lambda.v3.PerRouteConfig. For example, /lambda1 may need to route to us-east-1 and /lambda2 may need to route to us-east-2. Both routes are serviced from the same HTTP listener.

Currently, envoy.filters.http.aws_lambda in http_filters requires an ARN to be defined. If we use PerRouteConfig, this ARN essentially becomes a dummy ARN since we define the Lambda ARN in each PerRouteConfig in the route. However, it appears that the AWS SigV4 request is being built off the ARN in the HTTP listener. There's 2 effects from this - one, we have to define a "dummy" arn of arn:aws:lambda:us-east-1:000000000000:function:dummy, and two, we're limited to routing to only Lambdas in the region defined in the dummy ARN (in this case, us-east-1).

If you define a Lambda ARN using a PerRouteConfig of say, us-east-2, the SigV4 will not match and AWS will return an HTTP 403 with a message like Credential should be scoped to a valid Region, not 'us-east-1'.

It appears that the correct fix is to modify the filter behavior to sign the AWS request off the ARN of the PerRouteConfig, if defined.

sdlevi27 avatar Sep 13 '22 14:09 sdlevi27

Seems like when the aws signer is initialized we set the region and don’t change it later based on the arn of the function. We can update the signer function to take in and argument containing the region string. If this is allowed this will be a straight forward fix.

suniltheta avatar Sep 22 '22 19:09 suniltheta

/assign

suniltheta avatar Sep 22 '22 19:09 suniltheta

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 22 '22 20:10 github-actions[bot]

bump

suniltheta avatar Oct 22 '22 20:10 suniltheta

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] avatar Nov 22 '22 04:11 github-actions[bot]

no stale

suniltheta avatar Nov 22 '22 17:11 suniltheta