bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters

[deiwin]

Current Behavior

When using the the aws-lambda plugin with IAM auth, then any request that includes URL-encoded query parameters will fail with the following error returned from AWS:

HTTP/2 403
..
x-amzn-errortype: InvalidSignatureException
..

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}

I believe this happens because:

• get_uri_args unescapes query parameters
• The aws-lambda plugin uses get_uri_args, which unescapes the parameters but then also unescapes them itself, causing the args to be unescaped twice.
• Per AWS docs the "canonical query parameters" used for the signature should be escaped, but they are double-unescaped instead.

Expected Behavior

No response

Error Logs

No response

Steps to Reproduce

Create a route including the aws-lambda plugin:

function_uri: <URI>
authorization:
  iam:
    accesskey: <key>
    secretkey: <key>
    aws_region: <region>
    service: <execute-api/lambda>

Then send a request to the route, including a query parameter such as ?param=with%20spaces, for example.

Environment

• APISIX version (run apisix version): 3.7.0 (but the issue is also on master)
• Operating system (run uname -a): Debian (from apache/apisix:3.7.0-debian Docker image)

[shreemaan-abhishek]

welcome to raise a PR to fix this!

[deiwin]

Thanks! @shreemaan-abhishek, do you know if a PR would be accepted if it also introduced the usage of the nginxinc/nginx-aws-signature library?

I'm asking because for me to be able to actually use the aws-lambda plugin I'd need it to support IAM roles for service accounts, which it currently doesn't.

[deiwin]

Okay, maybe that wasn't a great library to suggest, as it's in JS and whatnot. But would the addition of https://github.com/Kong/lua-resty-aws be acceptable?

This could be used for getting the credentials (defaulting to env variables, EKS pod identity, EC2 identity, etc) and the existing code could be kept for the signing logic.

[shreemaan-abhishek]

I'd need it to support IAM roles for service accounts, which it currently doesn't.

If this is a separate feature, please create an issue describing this feature request, then we can move forward with whether or not we should have it. After that we can return to this issue. WDYT?

[deiwin]

Thanks @shreemaan-abhishek, created https://github.com/apache/apisix/issues/11137