new config parameter

DanielRailean · DanielRailean · commit d9fbf0ff9d4d · 2025-10-23T11:51:27.000+02:00
diff --git a/Readme.md b/Readme.md
@@ -17,9 +17,13 @@ Note that this plugin cannot be used in combination with Kong [upstreams](https:
 ## Plugin configuration parameters
 
 ```lua
-aws_assume_role_arn -- ARN of the IAM role that the plugin will try to assume
+aws_assume_role_arn -- ARN of the IAM role that the plugin will try to assume, cannot be supplied together with `aws_account_id`. At least one must be specified.
 type = "string"
-required = true
+required = false
+
+aws_account_id -- ID of the AWS account the lambda is deployed to. Used to generate the ARN of the IAM role to be assumed. Cannot be specified together with `aws_assume_role_arn`. At least one must be specified.
+type = "number"
+required = false
 
 aws_assume_role_name -- Name of the role above.
 type = "string"
diff --git a/kong/plugins/aws-request-signing/handler.lua b/kong/plugins/aws-request-signing/handler.lua
@@ -112,7 +112,7 @@ function AWSLambdaSTS:access(conf)
   local auth_header_key = conf.auth_header or "authorization"
   local auth_header_value = request_headers[auth_header_key]
   if not auth_header_value then
-    kong.log.notice("header value missing for: '".. auth_header_key .. "', skipping signing")
+    kong.log.notice("header value missing for: '" .. auth_header_key .. "', skipping signing")
     return
   end
 
@@ -164,7 +164,8 @@ function AWSLambdaSTS:access(conf)
 
 
   local sts_conf = {
-    RoleArn = conf.aws_assume_role_arn,
+    RoleArn = conf.aws_assume_role_arn or
+    ('arn:aws:iam::' .. conf.aws_account_id .. ':role/' .. conf.aws_assume_role_name),
     WebIdentityToken = retrieve_token(auth_header_value),
     RoleSessionName = conf.aws_assume_role_name,
   }
diff --git a/kong/plugins/aws-request-signing/schema.lua b/kong/plugins/aws-request-signing/schema.lua
@@ -19,7 +19,13 @@ return {
             aws_assume_role_arn = {
               type = "string",
               encrypted = true, -- Kong Enterprise-exclusive feature, does nothing in Kong CE
-              required = true,
+              required = false,
+            }
+          },
+          {
+            aws_account_id = {
+              type = "number",
+              required = false,
             }
           },
           {
@@ -67,9 +73,9 @@ return {
               required = true,
               default = false,
               description =
-                  "Instructs the plugin to use the context target if its host or port were altered "..
-                  " (by other plugins) during the signing, bypassing the override_target_host "..
-                  "and override_target_port parameters. Works by comparing the service target parameters"..
+                  "Instructs the plugin to use the context target if its host or port were altered " ..
+                  " (by other plugins) during the signing, bypassing the override_target_host " ..
+                  "and override_target_port parameters. Works by comparing the service target parameters" ..
                   " with the context target parameters. Ignored if the target was not altered."
             }
           },
@@ -112,5 +118,17 @@ return {
     }
   },
   entity_checks = {
+    {
+      mutually_exclusive = {
+        "aws_account_id",
+        "aws_assume_role_arn",
+      },
+    },
+    {
+      at_least_one_of = {
+        "aws_account_id",
+        "aws_assume_role_arn",
+      },
+    },
   }
 }
