Re: [I] bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters [apisix]
kayx23 commented on issue #11097: URL: https://github.com/apache/apisix/issues/11097#issuecomment-2064329613 Meanwhile strangely I seem to be getting `400 Bad Request` for everything... this is the URL encoded example OP mentioned: ![image](https://github.com/apache/apisix/assets/39619599/41402a4f-3892-457a-afd3-fb24cecb90f6) Every request returned 400 and I'm quite baffled why. I also randomly changed secret key to a wrong value and lambda function endpoint. I expected to see different errors but all led to `400 Bad Request` with no further details on APISIX's log. This is my config: ![Screenshot at Apr 18 23-31-32](https://github.com/apache/apisix/assets/39619599/db65b177-dc0d-48b7-b3c3-8d639f9b2b93) So I suspected the error came from upstream and specifically, due to CORS; because the lambda function worked fine when I tested on the AWS Console. The CORS setting was updated to allow all origins for the function URL: ![Screenshot at Apr 18 23-43-06](https://github.com/apache/apisix/assets/39619599/231b2aac-d8bc-4b2f-9758-b0f88ab35ef7) Unfortunately this didn't help either. @deiwin Wondering if you have ever seen this issue before? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters [apisix]
deiwin commented on issue #11097: URL: https://github.com/apache/apisix/issues/11097#issuecomment-2045362638 Thanks @shreemaan-abhishek, created https://github.com/apache/apisix/issues/11137 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters [apisix]
shreemaan-abhishek commented on issue #11097: URL: https://github.com/apache/apisix/issues/11097#issuecomment-2040890019 > I'd need it to support [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), which it currently doesn't. If this is a separate feature, please create an issue describing this feature request, then we can move forward with whether or not we should have it. After that we can return to this issue. WDYT? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters [apisix]
deiwin commented on issue #11097: URL: https://github.com/apache/apisix/issues/11097#issuecomment-2035736853 Okay, maybe that wasn't a great library to suggest, as it's in JS and whatnot. But would the addition of https://github.com/Kong/lua-resty-aws be acceptable? This could be used for getting the credentials (defaulting to env variables, EKS pod identity, EC2 identity, etc) and the existing code could be kept for the signing logic. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters [apisix]
deiwin commented on issue #11097: URL: https://github.com/apache/apisix/issues/11097#issuecomment-2024665462 Thanks! @shreemaan-abhishek, do you know if a PR would be accepted if it also introduced the usage of the [nginxinc/nginx-aws-signature](https://github.com/nginxinc/nginx-aws-signature) library? I'm asking because for me to be able to actually use the `aws-lambda` plugin I'd need it to support [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html), which it currently doesn't. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [I] bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters [apisix]
shreemaan-abhishek commented on issue #11097: URL: https://github.com/apache/apisix/issues/11097#issuecomment-2024385718 welcome to raise a PR to fix this! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[I] bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters [apisix]
deiwin opened a new issue, #11097: URL: https://github.com/apache/apisix/issues/11097 ### Current Behavior When using the the `aws-lambda` plugin with IAM auth, then any request that includes URL-encoded query parameters will fail with the following error returned from AWS: ``` HTTP/2 403 .. x-amzn-errortype: InvalidSignatureException .. {"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."} ``` I believe this happens because: - [`get_uri_args` unescapes query parameters](https://github.com/openresty/lua-nginx-module#ngxreqget_uri_args) - The `aws-lambda` plugin [uses `get_uri_args`](https://github.com/apache/apisix/blob/538b9480fd1d0fc41d627936279fcf28cb5802d7/apisix/plugins/serverless/generic-upstream.lua#L62), which unescapes the parameters but then [also unescapes them itself](https://github.com/apache/apisix/blob/538b9480fd1d0fc41d627936279fcf28cb5802d7/apisix/plugins/aws-lambda.lua#L128), causing the args to be unescaped twice. - Per [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html#create-canonical-request) the "canonical query parameters" used for the signature should be escaped, but they are double-unescaped instead. ### Expected Behavior _No response_ ### Error Logs _No response_ ### Steps to Reproduce Create a route including the `aws-lambda` plugin: ```yaml function_uri: authorization: iam: accesskey: secretkey: aws_region: service: ``` Then send a request to the route, including a query parameter such as `?param=with%20spaces`, for example. ### Environment - APISIX version (run `apisix version`): 3.7.0 (but the issue is also on master) - Operating system (run `uname -a`): Debian (from `apache/apisix:3.7.0-debian` Docker image) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org