Instance Profiles

[tecnobrat]

Is there a possibility that this could be expanded to support instance profiles instead of hard coded credentials?

[MrSaints]

Definitely possible @tecnobrat. But it requires some re-working since it relies on user-specified configuration ATM (https://github.com/MrSaints/kong-plugin-aws/blob/master/kong/plugins/aws/handler.lua#L29).

I am not sure if that is something we should do though, since it seems like all Kong plugins are configured that way, rather than set using files or environment variables (that being said, that is how most AWS SDKs are set up).

[tecnobrat]

The difference in my opinion is that there is an alternative to user-specified configuration in this case, which I don't think is the case for any other kong plugins.

[michaelcurran]

+1 for instance profiles. I think it'd be a very useful feature to have the ability to use the dynamic short-lived credentials over having to manage and provide a single hard-coded IAM key.

[MrSaints]

I don't disagree @tecnobrat, but I derived this plugin from https://getkong.org/plugins/aws-lambda/. And they didn't seem to opt for the environment variable route. That being said, we could probably get some inspiration from: https://github.com/adobe-apiplatform/api-gateway-aws/blob/master/src/lua/api-gateway/aws/AWSIAMCredentials.lua

[tecnobrat]

Totally! That code looks like how the ruby and node AWS SDK's implement it.

[tecnobrat]

@MrSaints https://github.com/Mashape/kong/pull/2777

looks like there is a pending PR against the lambda plugin which does this :)

[MrSaints]

I'll have a look, should be easy to cherry-pick it here @tecnobrat 👍