Enable AWS Request Signingv3.4+
Enable the AWS Request Signing plugin.
Prerequisites
-
The AWS Request Signing plugin is installed.
-
The plugin needs to request temporary credentials, so add your OAuth token issuer to the Identity Providers in your AWS account.
Environment variables
-
ASSUME_ROLE_ARN: The ARN of the AWS IAM Role to assume before making the request to the AWS service. For example,"arn:aws:iam::123456789012:role/example-role". -
ASSUME_ROLE_NAME: The name of the AWS IAM Role to assume before making the request to the AWS service. For example,example-role. -
TARGET_HOST: An optional hostname or IP to use instead of the one specified in the AWS service’s endpoint. -
AWS_REGION: The AWS region in which AWS service is running. For example,us-east-1.
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: aws-request-signing
config:
aws_assume_role_arn: ${{ env "DECK_ASSUME_ROLE_ARN" }}
aws_assume_role_name: ${{ env "DECK_ASSUME_ROLE_NAME" }}
aws_region: ${{ env "DECK_AWS_REGION" }}
aws_service: lambda
override_target_host: ${{ env "DECK_TARGET_HOST" }}
override_target_port: 443
override_target_protocol: https
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "aws-request-signing",
"config": {
"aws_assume_role_arn": "'$ASSUME_ROLE_ARN'",
"aws_assume_role_name": "'$ASSUME_ROLE_NAME'",
"aws_region": "'$AWS_REGION'",
"aws_service": "lambda",
"override_target_host": "'$TARGET_HOST'",
"override_target_port": 443,
"override_target_protocol": "https"
}
}
'
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: aws-request-signing
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
aws_assume_role_arn: '$ASSUME_ROLE_ARN'
aws_assume_role_name: '$ASSUME_ROLE_NAME'
aws_region: '$AWS_REGION'
aws_service: lambda
override_target_host: '$TARGET_HOST'
override_target_port: 443
override_target_protocol: https
plugin: aws-request-signing
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_aws_request_signing" "my_aws_request_signing" {
enabled = true
config = {
aws_assume_role_arn = var.assume_role_arn
aws_assume_role_name = var.assume_role_name
aws_region = var.aws_region
aws_service = "lambda"
override_target_host = var.target_host
override_target_port = 443
override_target_protocol = "https"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "aws_region" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: aws-request-signing
service: serviceName|Id
config:
aws_assume_role_arn: ${{ env "DECK_ASSUME_ROLE_ARN" }}
aws_assume_role_name: ${{ env "DECK_ASSUME_ROLE_NAME" }}
aws_region: ${{ env "DECK_AWS_REGION" }}
aws_service: lambda
override_target_host: ${{ env "DECK_TARGET_HOST" }}
override_target_port: 443
override_target_protocol: https
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "aws-request-signing",
"config": {
"aws_assume_role_arn": "'$ASSUME_ROLE_ARN'",
"aws_assume_role_name": "'$ASSUME_ROLE_NAME'",
"aws_region": "'$AWS_REGION'",
"aws_service": "lambda",
"override_target_host": "'$TARGET_HOST'",
"override_target_port": 443,
"override_target_protocol": "https"
}
}
'
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: aws-request-signing
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
aws_assume_role_arn: '$ASSUME_ROLE_ARN'
aws_assume_role_name: '$ASSUME_ROLE_NAME'
aws_region: '$AWS_REGION'
aws_service: lambda
override_target_host: '$TARGET_HOST'
override_target_port: 443
override_target_protocol: https
plugin: aws-request-signing
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=aws-request-signing
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_aws_request_signing" "my_aws_request_signing" {
enabled = true
config = {
aws_assume_role_arn = var.assume_role_arn
aws_assume_role_name = var.assume_role_name
aws_region = var.aws_region
aws_service = "lambda"
override_target_host = var.target_host
override_target_port = 443
override_target_protocol = "https"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "aws_region" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: aws-request-signing
route: routeName|Id
config:
aws_assume_role_arn: ${{ env "DECK_ASSUME_ROLE_ARN" }}
aws_assume_role_name: ${{ env "DECK_ASSUME_ROLE_NAME" }}
aws_region: ${{ env "DECK_AWS_REGION" }}
aws_service: lambda
override_target_host: ${{ env "DECK_TARGET_HOST" }}
override_target_port: 443
override_target_protocol: https
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "aws-request-signing",
"config": {
"aws_assume_role_arn": "'$ASSUME_ROLE_ARN'",
"aws_assume_role_name": "'$ASSUME_ROLE_NAME'",
"aws_region": "'$AWS_REGION'",
"aws_service": "lambda",
"override_target_host": "'$TARGET_HOST'",
"override_target_port": 443,
"override_target_protocol": "https"
}
}
'
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: aws-request-signing
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
aws_assume_role_arn: '$ASSUME_ROLE_ARN'
aws_assume_role_name: '$ASSUME_ROLE_NAME'
aws_region: '$AWS_REGION'
aws_service: lambda
override_target_host: '$TARGET_HOST'
override_target_port: 443
override_target_protocol: https
plugin: aws-request-signing
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=aws-request-signing
kubectl annotate -n kong ingress konghq.com/plugins=aws-request-signing
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_aws_request_signing" "my_aws_request_signing" {
enabled = true
config = {
aws_assume_role_arn = var.assume_role_arn
aws_assume_role_name = var.assume_role_name
aws_region = var.aws_region
aws_service = "lambda"
override_target_host = var.target_host
override_target_port = 443
override_target_protocol = "https"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "aws_region" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: aws-request-signing
consumer: consumerName|Id
config:
aws_assume_role_arn: ${{ env "DECK_ASSUME_ROLE_ARN" }}
aws_assume_role_name: ${{ env "DECK_ASSUME_ROLE_NAME" }}
aws_region: ${{ env "DECK_AWS_REGION" }}
aws_service: lambda
override_target_host: ${{ env "DECK_TARGET_HOST" }}
override_target_port: 443
override_target_protocol: https
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "aws-request-signing",
"config": {
"aws_assume_role_arn": "'$ASSUME_ROLE_ARN'",
"aws_assume_role_name": "'$ASSUME_ROLE_NAME'",
"aws_region": "'$AWS_REGION'",
"aws_service": "lambda",
"override_target_host": "'$TARGET_HOST'",
"override_target_port": 443,
"override_target_protocol": "https"
}
}
'
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: aws-request-signing
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
aws_assume_role_arn: '$ASSUME_ROLE_ARN'
aws_assume_role_name: '$ASSUME_ROLE_NAME'
aws_region: '$AWS_REGION'
aws_service: lambda
override_target_host: '$TARGET_HOST'
override_target_port: 443
override_target_protocol: https
plugin: aws-request-signing
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=aws-request-signing
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_aws_request_signing" "my_aws_request_signing" {
enabled = true
config = {
aws_assume_role_arn = var.assume_role_arn
aws_assume_role_name = var.assume_role_name
aws_region = var.aws_region
aws_service = "lambda"
override_target_host = var.target_host
override_target_port = 443
override_target_protocol = "https"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "aws_region" {
type = string
}