feat(aws-lambda) Lambda authentication via EC2 IAM roles

[Mgutjahr]

Summary

Adds support for querying temporary credentials from EC2 metadata service instead of fetching long-lived key-pairs from the database.

The credentials are fetched from the EC2 metadata service and are cached for 60 seconds. I assume that many users are running kong on EC2 instances. For these users this is the recommended way to authenticate requests for AWS services as key-rotation and credential provisioning are managed by AWS.

For further details refer to the AWS documentation about EC2 roles

Full changelog

• Added kong.plugins.aws-lambda.iam-role-credentials for fetching and caching temporary credentials from the metadata service (default 169.254.169.254 port 80)
• Added plugins config flag use_ec2_iam_role to kong.plugins.aws-lambda.schema and declared aws_key and aws_secret as optional
• Added self_check function to check whether either use_ec2_iam_role is set to true or both aws_key and aws_secret as configured
• Added if branch in kong.plugins.aws-lambda.handler to either fetch credentials from the metadata service or use credentials stored in database

[p0pr0ck5]

Thank you @Mgutjahr for the PR! Overall I think this will be a very useful addition. A handful of mostly minor style/nitpick comments attached. Additionally, we would like to see tests, both for the schema change, and an integration test for the plugin behavior change as well. Admittedly mocking out something for this will be challenging; perhaps draw on something like #2287 for past discussions of how we've handled tests for this plugin.

[p0pr0ck5]

prefer to use the dot notation to access table members in this case (e.g. plugin_t.use_ec2_iam_role)

[p0pr0ck5]

very minor style nitpick, prefer to use double quotes instead of single quotes.

[p0pr0ck5]

this could probably be a constant instead of a function

[p0pr0ck5]

would like to see the fetch_iam_credentials_from_metadata_service call explicitly defining params, instead of relying on the defaults defined in the function itself. this would likely make testing easier.

[p0pr0ck5]

style: prefer to use dot notation to access these field members

[p0pr0ck5]

minor style: spacing seems off here, please use two spaces to indent.

[p0pr0ck5]

minor style comment: please align assignment operators here

[p0pr0ck5]

style: please align assignment operators here

[p0pr0ck5]

style: can we try to adjust line breaks and such so as to avoid the line being much longer than 80 chars

[p0pr0ck5]

this also seems like it should be a debug level log entry

[Mgutjahr]

Hi @p0pr0ck5,
thanks for the detailed feedback and for pointing out references to possible solutions!

I addressed most of your recommendations and fixed the mentioned style issues. On the testing side I added a tests for the schema extension. In addition, I added an integration test which loads credentials from a mocked-out metadata service (using the same approach aws-lambda uses)

I decided not to add support for configuring the role the plugin should load as one EC2 instance can only have role configured at a time. This can be found from the AWS documentation:

An instance profile can contain only one IAM role. This limit cannot be increased.

This is also how almost all of the available AWS SDK's decided to implement support for instance roles.

Sorry again for the style issues and the missing tests.

[p0pr0ck5]

@Mgutjahr thanks for the refactors! a lot of these comments are ticky-tack style notes, just good to be consistent, certainly not a huge problem. we appreciate your feedback! at the moment we are in a merge freeze on master as the release of 0.11 stable is closing in (i believe @thibaultcha should have details on that), but barring that i think this is close to being merged. thanks again for the contribution!

[p0pr0ck5]

i believe this second condition is redundant, if not should handle both nil and false

[p0pr0ck5]

A note here, this will require refactoring for the upcoming Kong 0.11, as the cache mechanism has changed and this function call is no longer valid. We should probably have PRs for 0.10.x and 0.11 and merge them simultaneously, with the latter being generated from rebasing this commit in its final form onto next and adjusting as needed. this might need coordination/communication with @thibaultcha prior to releasing a stable 0.11?

[p0pr0ck5]

minor style point: need a space between " and ..

[p0pr0ck5]

minor style point: prefer double quotes " to single quote '

[p0pr0ck5]

minor style point: prefer double quotes " to single quote ' for the entries (generally we prefer double quotes everywhere)

[p0pr0ck5]

style: spacing around assignment operator

[p0pr0ck5]

a few minor style comments:

• align assignment operators
• append a trailing comma to the end of array elements to minimize future diffs

[p0pr0ck5]

here (and a few other places) we can use variadic arguments instead of string concatenation to build the message

[p0pr0ck5]

style: trailing comma here for consistency

[p0pr0ck5]

minor style: i think we're one space too far indented here?

[Mgutjahr]

Hi @p0pr0ck5,
I fixed the requested style issues. Hope it looks better now. Good call on the testing front, we should definitely add a test for a non-existing metadata service as this could be a possible error scenario.

On creating the test I realised that the metadata service call had no connection timeout configured, as this could eat up resources I added a 500ms timeout for the metadata service calls (this should be sufficient as the metadata service runs locally on EC2 instances. Requests usually take ~1ms).

[thibaultcha]

It's dangerous to make such assumptions considering Kong might be running in a variety of infrastructures with different limitations or requirements out there. Such timeout variables should ideally be made configurable.

[p0pr0ck5]

Not quite sure about the validity of this comment, given the very narrow infrastructure scope of the context at play here. Adding a tunable for this seems like unnecessary cognitive load.

[thibaultcha]

Our "mantra" of being opinionated (in order to not oversight any potential use-case or to be compatible with as many infrastructures as possible), hints that we should provide customizable timeouts. In fact there shouldn't be a single timeout (to the best of my knowledge) that isn't configurable in Kong already, including this module itself.

[p0pr0ck5]

I think the idea here is that inter-infrastructure compatibility is meaningless here. Is it worth sticking to a hard-line mantra in such a case? IMO it's not, but this isn't a hill for me to die on, just chiming in that this is a very specific use case :)

[Mgutjahr]

I get your concerns, I tried to omit any unnecessary config properties to keep the plugin configuration relatively clean. Especially as the timeout would be another semi-optional config property (only applies if role based authentication is used). From my experience (using native AWS sdks on a variety of platforms) this is a property you would never need to touch. But maybe there are cases where you have too.

I checked other "official" SDK's from Amazon. Most set a default timeout which cannot be changed.

• python cli --> 1 second
• python boto --> 1 second (can be configured)
• java sdk --> 2 seconds

The timeouts from these SDK's are higher than the one set by me, but most of timeouts mentioned above apply for all services offered by the metadata service (and not just the credentials service).

I'd suggest that I increase the timeout to 5 seconds by default and expose it as a parameter to get_iam_credentials_from_instance_profile(). - This way we can tweak it for the test and exposing it to the plugins config afterwards would be trivial if needed.

If you want me to add it to the config I can do this of course too. Just let me know what you'd prefer.

[thibaultcha]

(Some weird indentation here again)

[thibaultcha]

Our policy is that no plugin config already in the database should be left in a previous version of the plugin's schema. This is because we want to avoid complicated code paths handling different versions of the same plugin's schema in the plugin business logic itself. This is a policy that has unfortunately not always been followed, and such oversight lead us to a few bugs/overhead maintenance issues recently.

So: new schema value, new migration for Cassandra/PostgreSQL :)

[Mgutjahr]

Hi @thibaultcha,
are you referring to the use_ec2_iam_role config property introduced in this PR? - The aws_secret and aws_key were changed to semi-optional, so whatever config was in the database is still correct after the PR (it will continue to use secrets & keys from the db config if use_ec2_iam_role is not set / set to false). In other words, as long as use_ec2_iam_role is not set to true the old schema is still enforced.

Do you mean I should configure use_ec2_iam_role to a required property and set it to false by default through a migration script? I'm unsure of the benefits of this. Wouldn't it be better to remove the default=false flag here?

[thibaultcha]

Hmm indeed... I do agree with that reasoning. We kind of set this "unsaid" policy of enforcing migrations when introducing new values, but optional values would not benefit from it in any way, because they might be nil per definition already.

Alright then, this sounds good! Sorry for the noise!

[p0pr0ck5]

@Mgutjahr can you rebase this commit to fix the conflict with the rockspec? After that I think we're good to go here.

update

[Mgutjahr]

Hi @p0pr0ck5 & @thibaultcha ,
sorry for my late reply. I rebased the branch to the current master branch. Note that I had to move the caching of IAM credentials to the handler due to the change of the caching in 0.11.

[Mgutjahr]

Hi @thibaultcha, do you have any updates/comments on this PR?

[p0pr0ck5]

@Mgutjahr sorry for the delay on our end. Apologies, since we've had another release since the last change, can we update the rockspec here? I'd like to see this merged into 0.12. @thibaultcha thoughts?

[fyntic]

Hello @p0pr0ck5 , @thibaultcha and @Mgutjahr .

Sorry for disturb you, guys, but we really need this feature available in Kong for AWS.
When do you think it might be merged and released?

Thanks in advance.

[aloisbarreras]

Is all that needs to happen just rebasing the rockspec? I'm happy to do that real fast if that will help this get merged in.

[vvondra]

is it ok if i re-open this fixed?

[farazs]

@thibaultcha is all that's left for this to update the rockspec and resolve the handler.lua conflict? seems something trivial and we can merge this.

@Mgutjahr would you be able to do that or someone else can fork this and make the necessary updates. would be really nice to get this merged since it's so close and quite useful.

[Mgutjahr]

@farazs I can try to rebase it this weekend. I want to test it at least once also on an actual EC2 on AWS with the current version of kong which is why it is a bit more work than just rebasing it.

[tarciosaraiva]

Any chance of this getting reviewed soon?

[Mgutjahr]

Hey, I rebased the PR again to the current master branch. The branch could be merged if you want to. There are just two things I'd like to point out:

• The IAM role authentication currently only works if kong is running on an EC2 instance. It would not work if Kong is running on ECS, Fargate or EKS. We can add support for ECS and Fargate but I would not do this in the same PR. Inspiration on how to do this can be found in the various official AWS SDK's out there (e.g. Java or Node ) .. there is unfortunately no real documentation out there from Amazon (at least I could not find it)
• This PR is also covered in PR Iam roles with proxy #3639. I'm ok if you close this PR and continue on Iam roles with proxy #3639, the PR mentioned has however additional features & functionality we might want to discuss in more detail. Especially proxying of the metadata service could be a bit risky from a security perspective (as you get IAM credentials through this service and proxying could increase the attack surface for a man in the middle attack)

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Manuel Gutjahr seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}