feat(aws-lambda): add configurable sts endpoint url for aws-lambda pl…

…ugin
Kong · Jul 18, 2024 · 5576c64 · 5576c64 · github-actions · Jul 18, 2024
1 parent fd10d6e
commit 5576c64
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 0 deletions.
diff --git a/changelog/unreleased/kong/feat-aws-lambda-configurable-sts-endpoint.yml b/changelog/unreleased/kong/feat-aws-lambda-configurable-sts-endpoint.yml
@@ -0,0 +1,4 @@
+message: >
+  "**AWS-Lambda**: Added support for a configurable STS endpoint with the new configuration field `aws_sts_endpoint_url`.
+type: feature
+scope: Plugin
diff --git a/kong/clustering/compat/checkers.lua b/kong/clustering/compat/checkers.lua
@@ -38,6 +38,19 @@ local compatible_checkers = {
         end
       end
 
+      for _, plugin in ipairs(config_table.plugins or {}) do
+        if plugin.name == 'aws-lambda' then
+          local config = plugin.config
+          if config.aws_sts_endpoint_url ~= nil then
+            config.aws_sts_endpoint_url = nil
+            has_update = true
+            log_warn_message('configures ' .. plugin.name .. ' plugin with aws_sts_endpoint_url',
+              'will be removed.',
+              dp_version, log_suffix)
+          end
+        end
+      end
+
       return has_update
     end
   },

diff --git a/kong/plugins/aws-lambda/handler.lua b/kong/plugins/aws-lambda/handler.lua
@@ -48,6 +48,7 @@ local build_cache_key do
   -- vault refresh can take effect when key/secret is rotated
   local SERVICE_RELATED_FIELD = { "timeout", "keepalive", "aws_key", "aws_secret",
                                   "aws_assume_role_arn", "aws_role_session_name",
+                                  "aws_sts_endpoint_url",
                                   "aws_region", "host", "port", "disable_https",
                                   "proxy_url", "aws_imds_protocol_version" }
 
@@ -132,6 +133,7 @@ function AWSLambdaHandler:access(conf)
         credentials = credentials,
         region = region,
         stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints,
+        endpoint = conf.aws_sts_endpoint_url,
         ssl_verify = false,
         http_proxy = conf.proxy_url,
         https_proxy = conf.proxy_url,

diff --git a/kong/plugins/aws-lambda/schema.lua b/kong/plugins/aws-lambda/schema.lua
@@ -38,6 +38,7 @@ return {
         { aws_role_session_name = { description = "The identifier of the assumed role session.", type = "string",
           default = "kong"
         } },
+        { aws_sts_endpoint_url = typedefs.url },
         { aws_region = typedefs.host },
         { function_name = {
           type = "string",