MrSaints / kong-plugin-aws

[INACTIVE] A Kong plugin for signing incoming requests with Amazon Web Services (AWS) authentication headers.
Apache License 2.0
7 stars 3 forks source link

Instance Profiles #2

Open tecnobrat opened 7 years ago

tecnobrat commented 7 years ago

Is there a possibility that this could be expanded to support instance profiles instead of hard coded credentials?

MrSaints commented 7 years ago

Definitely possible @tecnobrat. But it requires some re-working since it relies on user-specified configuration ATM (https://github.com/MrSaints/kong-plugin-aws/blob/master/kong/plugins/aws/handler.lua#L29).

I am not sure if that is something we should do though, since it seems like all Kong plugins are configured that way, rather than set using files or environment variables (that being said, that is how most AWS SDKs are set up).

tecnobrat commented 7 years ago

The difference in my opinion is that there is an alternative to user-specified configuration in this case, which I don't think is the case for any other kong plugins.

michaelcurran commented 7 years ago

+1 for instance profiles. I think it'd be a very useful feature to have the ability to use the dynamic short-lived credentials over having to manage and provide a single hard-coded IAM key.

MrSaints commented 7 years ago

I don't disagree @tecnobrat, but I derived this plugin from https://getkong.org/plugins/aws-lambda/. And they didn't seem to opt for the environment variable route. That being said, we could probably get some inspiration from: https://github.com/adobe-apiplatform/api-gateway-aws/blob/master/src/lua/api-gateway/aws/AWSIAMCredentials.lua

tecnobrat commented 7 years ago

Totally! That code looks like how the ruby and node AWS SDK's implement it.

tecnobrat commented 7 years ago

@MrSaints https://github.com/Mashape/kong/pull/2777

looks like there is a pending PR against the lambda plugin which does this :)

MrSaints commented 7 years ago

I'll have a look, should be easy to cherry-pick it here @tecnobrat 👍