From 0816ba9ba6412e30271fe30a4f3a71ca97efc3ad Mon Sep 17 00:00:00 2001 From: windmgc Date: Tue, 12 Sep 2023 15:57:58 +0800 Subject: [PATCH 1/3] fix(aws-lambda): let plugin level proxy take effect on EKS IRSA credential provider --- kong/plugins/aws-lambda/handler.lua | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/kong/plugins/aws-lambda/handler.lua b/kong/plugins/aws-lambda/handler.lua index 3b791b1fbc75..0370568a0ed9 100644 --- a/kong/plugins/aws-lambda/handler.lua +++ b/kong/plugins/aws-lambda/handler.lua @@ -59,6 +59,9 @@ function AWSLambdaHandler:access(conf) if not lambda_service then local credentials = AWS.config.credentials -- Override credential config according to plugin config + -- Note that we will not override the credential in AWS + -- singleton directly because it may be needed for other + -- scenario if conf.aws_key then local creds = AWS:Credentials { accessKeyId = conf.aws_key, @@ -66,6 +69,23 @@ function AWSLambdaHandler:access(conf) } credentials = creds + + elseif conf.proxy_url + -- If plugin config has proxy, then EKS IRSA might + -- need it as well, so we need to re-init the AWS + -- IRSA credential provider + and AWS_GLOBAL_CONFIG.AWS_WEB_IDENTITY_TOKEN_FILE + and AWS_GLOBAL_CONFIG.AWS_ROLE_ARN then + local creds = AWS:TokenFileWebIdentityCredentials() + creds.sts = AWS:STS({ + region = region, + stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints, + ssl_verify = false, + http_proxy = conf.proxy_url, + https_proxy = conf.proxy_url, + }) + + credentials = creds end -- Assume role based on configuration @@ -74,6 +94,7 @@ function AWSLambdaHandler:access(conf) credentials = credentials, region = region, stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints, + ssl_verify = false, http_proxy = conf.proxy_url, https_proxy = conf.proxy_url, }) From 16e2fe5e317c39a207440fa23935136a66ae77c1 Mon Sep 17 00:00:00 2001 From: windmgc Date: Tue, 12 Sep 2023 16:07:32 +0800 Subject: [PATCH 2/3] docs(changelog): add changelog --- CHANGELOG/unreleased/kong/11551.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 CHANGELOG/unreleased/kong/11551.yaml diff --git a/CHANGELOG/unreleased/kong/11551.yaml b/CHANGELOG/unreleased/kong/11551.yaml new file mode 100644 index 000000000000..906e86775587 --- /dev/null +++ b/CHANGELOG/unreleased/kong/11551.yaml @@ -0,0 +1,7 @@ +"message": "**AWS-Lambda**: let plugin-level proxy take effect on EKS IRSA credential provider" +"type": "bugfix" +"scope": "Plugin" +"prs": +- 11551 +"jiras": +- "FTI-5242" From d6786d4b35ce1f3a8c5069e75b89c040eebbf4aa Mon Sep 17 00:00:00 2001 From: windmgc Date: Wed, 13 Sep 2023 11:43:17 +0800 Subject: [PATCH 3/3] chore(deps): bump lua-resty-aws to 1.3.2 --- CHANGELOG/unreleased/kong/{11551.yaml => 11551-1.yaml} | 0 CHANGELOG/unreleased/kong/11551-2.yaml | 6 ++++++ kong-3.5.0-0.rockspec | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) rename CHANGELOG/unreleased/kong/{11551.yaml => 11551-1.yaml} (100%) create mode 100644 CHANGELOG/unreleased/kong/11551-2.yaml diff --git a/CHANGELOG/unreleased/kong/11551.yaml b/CHANGELOG/unreleased/kong/11551-1.yaml similarity index 100% rename from CHANGELOG/unreleased/kong/11551.yaml rename to CHANGELOG/unreleased/kong/11551-1.yaml diff --git a/CHANGELOG/unreleased/kong/11551-2.yaml b/CHANGELOG/unreleased/kong/11551-2.yaml new file mode 100644 index 000000000000..ce2a9a3ce0e0 --- /dev/null +++ b/CHANGELOG/unreleased/kong/11551-2.yaml @@ -0,0 +1,6 @@ +message: "Bumped lua-resty-aws from 1.3.1 to 1.3.2" +type: dependency +prs: + - 11551 +jiras: + - "FTI-5242" diff --git a/kong-3.5.0-0.rockspec b/kong-3.5.0-0.rockspec index 5e39cd067a7f..d120618a9a83 100644 --- a/kong-3.5.0-0.rockspec +++ b/kong-3.5.0-0.rockspec @@ -33,7 +33,7 @@ dependencies = { "lua-protobuf == 0.5.0", "lua-resty-healthcheck == 1.6.3", "lua-messagepack == 0.5.2", - "lua-resty-aws == 1.3.1", + "lua-resty-aws == 1.3.2", "lua-resty-openssl == 0.8.25", "lua-resty-counter == 0.2.1", "lua-resty-ipmatcher == 0.6.1",