diff --git a/CHANGELOG/unreleased/kong/11551-1.yaml b/CHANGELOG/unreleased/kong/11551-1.yaml new file mode 100644 index 000000000000..906e86775587 --- /dev/null +++ b/CHANGELOG/unreleased/kong/11551-1.yaml @@ -0,0 +1,7 @@ +"message": "**AWS-Lambda**: let plugin-level proxy take effect on EKS IRSA credential provider" +"type": "bugfix" +"scope": "Plugin" +"prs": +- 11551 +"jiras": +- "FTI-5242" diff --git a/CHANGELOG/unreleased/kong/11551-2.yaml b/CHANGELOG/unreleased/kong/11551-2.yaml new file mode 100644 index 000000000000..ce2a9a3ce0e0 --- /dev/null +++ b/CHANGELOG/unreleased/kong/11551-2.yaml @@ -0,0 +1,6 @@ +message: "Bumped lua-resty-aws from 1.3.1 to 1.3.2" +type: dependency +prs: + - 11551 +jiras: + - "FTI-5242" diff --git a/kong-3.5.0-0.rockspec b/kong-3.5.0-0.rockspec index 5e39cd067a7f..d120618a9a83 100644 --- a/kong-3.5.0-0.rockspec +++ b/kong-3.5.0-0.rockspec @@ -33,7 +33,7 @@ dependencies = { "lua-protobuf == 0.5.0", "lua-resty-healthcheck == 1.6.3", "lua-messagepack == 0.5.2", - "lua-resty-aws == 1.3.1", + "lua-resty-aws == 1.3.2", "lua-resty-openssl == 0.8.25", "lua-resty-counter == 0.2.1", "lua-resty-ipmatcher == 0.6.1", diff --git a/kong/plugins/aws-lambda/handler.lua b/kong/plugins/aws-lambda/handler.lua index 3b791b1fbc75..0370568a0ed9 100644 --- a/kong/plugins/aws-lambda/handler.lua +++ b/kong/plugins/aws-lambda/handler.lua @@ -59,6 +59,9 @@ function AWSLambdaHandler:access(conf) if not lambda_service then local credentials = AWS.config.credentials -- Override credential config according to plugin config + -- Note that we will not override the credential in AWS + -- singleton directly because it may be needed for other + -- scenario if conf.aws_key then local creds = AWS:Credentials { accessKeyId = conf.aws_key, @@ -66,6 +69,23 @@ function AWSLambdaHandler:access(conf) } credentials = creds + + elseif conf.proxy_url + -- If plugin config has proxy, then EKS IRSA might + -- need it as well, so we need to re-init the AWS + -- IRSA credential provider + and AWS_GLOBAL_CONFIG.AWS_WEB_IDENTITY_TOKEN_FILE + and AWS_GLOBAL_CONFIG.AWS_ROLE_ARN then + local creds = AWS:TokenFileWebIdentityCredentials() + creds.sts = AWS:STS({ + region = region, + stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints, + ssl_verify = false, + http_proxy = conf.proxy_url, + https_proxy = conf.proxy_url, + }) + + credentials = creds end -- Assume role based on configuration @@ -74,6 +94,7 @@ function AWSLambdaHandler:access(conf) credentials = credentials, region = region, stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints, + ssl_verify = false, http_proxy = conf.proxy_url, https_proxy = conf.proxy_url, })