feat: assertion header is now configurable

.github/workflows/build.yml

@@ -35,8 +35,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: leafo/gh-actions-lua@v9
-      - uses: leafo/gh-actions-luarocks@v4
+      - uses: leafo/gh-actions-lua@v12
+      - uses: leafo/gh-actions-luarocks@v6
       - run: luarocks make
 
       - name: luarocks pack

.github/workflows/publish-rock.yml

@@ -13,8 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: leafo/gh-actions-lua@v9
-      - uses: leafo/gh-actions-luarocks@v4
+      - uses: leafo/gh-actions-lua@v12
+      - uses: leafo/gh-actions-luarocks@v6
       - run: luarocks make
 
       - name: luarocks pack

Readme.md

@@ -17,9 +17,13 @@ Note that this plugin cannot be used in combination with Kong [upstreams](https:
 ## Plugin configuration parameters
 
 ```lua
-aws_assume_role_arn -- ARN of the IAM role that the plugin will try to assume
+aws_assume_role_arn -- ARN of the IAM role that the plugin will try to assume, cannot be supplied together with `aws_account_id`. At least one must be specified.
 type = "string"
-required = true
+required = false
+
+aws_account_id -- ID of the AWS account the lambda is deployed to. Used to generate the ARN of the IAM role to be assumed. Cannot be specified together with `aws_assume_role_arn`. At least one must be specified.
+type = "number"
+required = false
 
 aws_assume_role_name -- Name of the role above.
 type = "string"
@@ -33,6 +37,10 @@ aws_service -- AWS Service you are trying to access (lambda and s3 were tested)
 type = "string"
 required = true
 
+auth_header -- The header key used to fetch the value sent to AWS STS as the 'WebIdentityToken' parameter. Defaults to 'authorization'
+type = "string"
+required = false
+
 override_target_host -- To be used when deploying multiple lambdas on a single Kong service (because lambdas have different URLs)
 type = "string"
 required = false
@@ -56,12 +64,12 @@ type = "boolean"
 required = true
 default = false
 
-preserve_auth_header -- Controls if the bearer token will be passed to the upstream
+preserve_auth_header -- Controls if the header value will be passed to the upstream
 type = "boolean"
 required = true
 default = true
 
-preserve_auth_header_key -- The header key where the bearer token will be saved and passed to the upstream. works only if 'preserve_auth_header' parameter above is set to true.
+preserve_auth_header_key -- The header key where the header value will be saved and passed to the upstream. works only if 'preserve_auth_header' parameter above is set to true.
 type = "string"
 required = true
 default = "x-authorization"

kong/plugins/aws-request-signing/handler.lua

@@ -109,11 +109,20 @@ function AWSLambdaSTS:access(conf)
     return kong.response.exit(500, { message = "The plugin must be bound to a service!" })
   end
 
+  local auth_header_key = conf.auth_header or "authorization"
+  local auth_header_value = request_headers[auth_header_key]
+  if not auth_header_value then
+    kong.log.notice("header value missing for: '" .. auth_header_key .. "', skipping signing")
+    return
+  end
+
   if conf.preserve_auth_header then
     kong.service.request.set_headers({
-      [conf.preserve_auth_header_key] = request_headers.authorization
+      [conf.preserve_auth_header_key] = auth_header_value
     })
   end
+  -- removing the header, we either do not need it or we set it to the signed value later.
+  kong.service.request.clear_header(auth_header_key)
 
   local target_altered = false
 
@@ -155,8 +164,9 @@ function AWSLambdaSTS:access(conf)
 
 
   local sts_conf = {
-    RoleArn = conf.aws_assume_role_arn,
-    WebIdentityToken = retrieve_token(request_headers["authorization"]),
+    RoleArn = conf.aws_assume_role_arn or
+    ('arn:aws:iam::' .. conf.aws_account_id .. ':role/' .. conf.aws_assume_role_name),
+    WebIdentityToken = retrieve_token(auth_header_value),
     RoleSessionName = conf.aws_assume_role_name,
   }
 
@@ -171,10 +181,7 @@ function AWSLambdaSTS:access(conf)
     ["content-type"] = request_headers["content-type"]
   }
 
-  -- removing the authorization, we either do not need it or we set it again later.
-  kong.service.request.clear_header("authorization")
-
-  -- might fail if too big. is controlled by the folowing nginx params:
+  -- might fail if too big. is controlled by the following nginx params:
   -- nginx_http_client_max_body_size
   -- nginx_http_client_body_buffer_size
   local req_body, get_body_err = kong.request.get_raw_body()

kong/plugins/aws-request-signing/schema.lua

@@ -19,7 +19,13 @@ return {
             aws_assume_role_arn = {
               type = "string",
               encrypted = true, -- Kong Enterprise-exclusive feature, does nothing in Kong CE
-              required = true,
+              required = false,
+            }
+          },
+          {
+            aws_account_id = {
+              type = "number",
+              required = false,
             }
           },
           {
@@ -67,9 +73,9 @@ return {
               required = true,
               default = false,
               description =
-                  "Instructs the plugin to use the context target if its host or port were altered "..
-                  " (by other plugins) during the signing, bypassing the override_target_host "..
-                  "and override_target_port parameters. Works by comparing the service target parameters"..
+                  "Instructs the plugin to use the context target if its host or port were altered " ..
+                  " (by other plugins) during the signing, bypassing the override_target_host " ..
+                  "and override_target_port parameters. Works by comparing the service target parameters" ..
                   " with the context target parameters. Ignored if the target was not altered."
             }
           },
@@ -87,6 +93,12 @@ return {
               default = false,
             }
           },
+          {
+            auth_header = {
+              type = "string",
+              required = false,
+            }
+          },
           {
             preserve_auth_header = {
               type = "boolean",
@@ -106,5 +118,17 @@ return {
     }
   },
   entity_checks = {
+    {
+      mutually_exclusive = {
+        "config.aws_account_id",
+        "config.aws_assume_role_arn",
+      },
+    },
+    {
+      at_least_one_of = {
+        "config.aws_account_id",
+        "config.aws_assume_role_arn",
+      },
+    },
   }
 }

spec/02-integration_spec.lua

@@ -194,7 +194,8 @@ for _, strategy in helpers.all_strategies() do
                     method = "GET",
                     path = "/status/200",
                     headers = {
-                        ["Host"] = "test1.com"
+                        ["Host"] = "test1.com",
+                        authorization = "header.body.sig",
                     }
                 })
                 local body = assert.res_status(200, res)
@@ -210,7 +211,8 @@ for _, strategy in helpers.all_strategies() do
             it("should override host when configured", function()
                 local res = proxy_client:get("/testoverride", {
                     headers = {
-                        ["Host"] = "test2.com"
+                        ["Host"] = "test2.com",
+                        authorization = "header.body.sig",
                     }
                 })
                 local body = assert.res_status(200, res)
@@ -223,7 +225,8 @@ for _, strategy in helpers.all_strategies() do
                     method = "GET",
                     path = "/status/200",
                     headers = {
-                        ["Host"] = "test3.com"
+                        ["Host"] = "test3.com",
+                        authorization = "header.body.sig",
                     }
                 })
                 local body = assert.res_status(200, res)