Hi guys,
I’m exploring the AWS lambda plugin for our r&d. I’m using kong oss.
I tried using Aws Secret and Aws Key and it worked, but as per our head this approach is not good practice. I need to use the Aws Assume Role Arn.
I also configured the policy of my AWS role like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:YOUR_REGION:YOUR_ACCOUNT_ID:function:FUNCTION_NAME"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
I tried to replicate the source code of the AWS lambda plugin and put kong logs to see if handler.lua is getting the credentials(here are some of block code of handler.lua):
-- Assume role based on configuration
if conf.aws_assume_role_arn then
local sts, err = AWS:STS({
credentials = credentials,
region = region,
stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints,
endpoint = conf.aws_sts_endpoint_url,
ssl_verify = false,
http_proxy = conf.proxy_url,
https_proxy = conf.proxy_url,
})
if not sts then
kong.log.debug("error: ",err)
return error(fmt("unable to create AWS STS (%s)", err))
end
local sts_creds = AWS:ChainableTemporaryCredentials {
params = {
RoleArn = conf.aws_assume_role_arn,
RoleSessionName = conf.aws_role_session_name,
},
sts = sts,
}
credentials = sts_creds
kong.log.debug("updated credentials with aws assume role: ",credentials)
end
Seeing the log, the credentials is nil, so when the plugin is executing the lambda_service:invoke it will return authentication error.
I saw the same question here, but no luck of answer -
AWS Lambda Plugin - Invocation with IAM role - Questions - Kong Nation
And saw the comment for guide, but it is now 404.