zuplo 6.72.3 → 6.72.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/docs/analytics/access-and-entitlements.md +27 -34
- package/docs/analytics/overview.md +7 -6
- package/docs/analytics/reference/url-parameters.md +2 -10
- package/docs/analytics/shared-controls.md +3 -10
- package/docs/analytics/tabs/agents.md +3 -3
- package/docs/analytics/tabs/requests.md +2 -4
- package/docs/articles/connect-to-aws-alb-with-mtls.mdx +89 -13
- package/docs/articles/graphql-security.mdx +2 -1
- package/docs/articles/graphql.mdx +8 -0
- package/docs/articles/opentelemetry.mdx +7 -5
- package/docs/articles/securing-backend-mtls.mdx +92 -3
- package/docs/articles/troubleshooting-slow-responses.mdx +4 -3
- package/docs/articles/troubleshooting.md +3 -1
- package/docs/policies/_index.md +2 -0
- package/docs/policies/clerk-jwt-auth-inbound/schema.json +3 -3
- package/docs/policies/mcp-auth0-oauth-inbound/schema.json +8 -5
- package/docs/policies/mcp-clerk-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-cognito-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-entra-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-google-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-keycloak-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-logto-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-oauth-inbound/schema.json +8 -5
- package/docs/policies/mcp-okta-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-onelogin-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-ping-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-token-exchange-inbound/doc.md +72 -4
- package/docs/policies/mcp-token-exchange-inbound/intro.md +5 -4
- package/docs/policies/mcp-token-exchange-inbound/schema.json +277 -2
- package/docs/policies/mcp-workos-oauth-inbound/schema.json +78 -0
- package/docs/policies/open-id-jwt-auth-inbound/schema.json +3 -3
- package/docs/policies/propel-auth-jwt-inbound/schema.json +3 -3
- package/docs/policies/upstream-aws-federated-auth-inbound/doc.md +78 -0
- package/docs/policies/upstream-aws-federated-auth-inbound/intro.md +20 -0
- package/docs/policies/upstream-aws-federated-auth-inbound/schema.json +98 -0
- package/docs/policies/upstream-aws-service-auth-inbound/doc.md +89 -0
- package/docs/policies/upstream-aws-service-auth-inbound/intro.md +19 -0
- package/docs/policies/upstream-aws-service-auth-inbound/schema.json +113 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/schema.json +4 -4
- package/docs/policies/upstream-gcp-federated-auth-inbound/doc.md +2 -2
- package/docs/policies/upstream-gcp-federated-auth-inbound/schema.json +4 -4
- package/docs/policies/upstream-gcp-service-auth-inbound/doc.md +3 -3
- package/docs/policies/upstream-gcp-service-auth-inbound/schema.json +3 -3
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/schema.json +19 -0
- package/package.json +4 -4
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
"jwkUrl": {
|
|
55
55
|
"type": "string",
|
|
56
56
|
"examples": [
|
|
57
|
-
"https://
|
|
57
|
+
"https://my-tenant.us.auth0.com/.well-known/jwks.json"
|
|
58
58
|
],
|
|
59
59
|
"description": "the url of the JSON Web Key Set (JWKS) - this is used to validate the JWT token signature (either this or `secret` must be set)."
|
|
60
60
|
},
|
|
@@ -90,7 +90,7 @@
|
|
|
90
90
|
{
|
|
91
91
|
"issuer": "$env(AUTH_ISSUER)",
|
|
92
92
|
"audience": "$env(AUTH_AUDIENCE)",
|
|
93
|
-
"jwkUrl": "https://
|
|
93
|
+
"jwkUrl": "https://my-tenant.us.auth0.com/.well-known/jwks.json"
|
|
94
94
|
},
|
|
95
95
|
{
|
|
96
96
|
"issuer": "$env(AUTH_ISSUER)",
|
|
@@ -107,7 +107,7 @@
|
|
|
107
107
|
"options": {
|
|
108
108
|
"issuer": "$env(AUTH_ISSUER)",
|
|
109
109
|
"audience": "$env(AUTH_AUDIENCE)",
|
|
110
|
-
"jwkUrl": "https://
|
|
110
|
+
"jwkUrl": "https://my-tenant.us.auth0.com/.well-known/jwks.json"
|
|
111
111
|
}
|
|
112
112
|
},
|
|
113
113
|
{
|
|
@@ -42,8 +42,8 @@
|
|
|
42
42
|
},
|
|
43
43
|
"authUrl": {
|
|
44
44
|
"type": "string",
|
|
45
|
-
"examples": ["https://
|
|
46
|
-
"description": "Your PropelAuth authUrl. For example, `https://
|
|
45
|
+
"examples": ["https://12345678.propelauthtest.com"],
|
|
46
|
+
"description": "Your PropelAuth authUrl. For example, `https://12345678.propelauthtest.com`."
|
|
47
47
|
},
|
|
48
48
|
"verifierKey": {
|
|
49
49
|
"type": "string",
|
|
@@ -64,7 +64,7 @@
|
|
|
64
64
|
"module": "$import(@zuplo/runtime)",
|
|
65
65
|
"options": {
|
|
66
66
|
"allowUnauthenticatedRequests": false,
|
|
67
|
-
"authUrl": "https://
|
|
67
|
+
"authUrl": "https://12345678.propelauthtest.com",
|
|
68
68
|
"oAuthResourceMetadataEnabled": false,
|
|
69
69
|
"verifierKey": "$env(PROPEL_VERIFIER_KEY)"
|
|
70
70
|
}
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
## Overview
|
|
2
|
+
|
|
3
|
+
The Upstream AWS Federated Auth policy obtains AWS credentials **without storing
|
|
4
|
+
any AWS keys**. It exchanges Zuplo's ambient OIDC identity token for an IAM
|
|
5
|
+
role's short-lived temporary credentials using STS
|
|
6
|
+
`AssumeRoleWithWebIdentity`, then registers those credentials on the request
|
|
7
|
+
context.
|
|
8
|
+
|
|
9
|
+
Like the `upstream-aws-service-auth` policy, it does **not** add an
|
|
10
|
+
`Authorization` header itself — AWS Signature Version 4 signs the exact final
|
|
11
|
+
request, which is only known inside the handler. The AWS Lambda handler and your
|
|
12
|
+
own code read the resolved credentials and sign the requests they build.
|
|
13
|
+
|
|
14
|
+
## AWS setup
|
|
15
|
+
|
|
16
|
+
1. Create an **IAM OIDC identity provider** that trusts the Zuplo issuer. Set
|
|
17
|
+
the audience (client ID) to the value you use for the `audience` option
|
|
18
|
+
(default `sts.amazonaws.com`).
|
|
19
|
+
2. Create an **IAM role** whose trust policy allows
|
|
20
|
+
`sts:AssumeRoleWithWebIdentity` for that provider, with a condition on the
|
|
21
|
+
token's audience.
|
|
22
|
+
3. Grant the role only the permissions the gateway needs (for example
|
|
23
|
+
`execute-api:Invoke` or `lambda:InvokeFunction`).
|
|
24
|
+
|
|
25
|
+
## Using the credentials
|
|
26
|
+
|
|
27
|
+
### With the AWS Lambda handler
|
|
28
|
+
|
|
29
|
+
```json
|
|
30
|
+
{
|
|
31
|
+
"paths": {
|
|
32
|
+
"/lambda/{path}*": {
|
|
33
|
+
"x-zuplo-route": {
|
|
34
|
+
"handler": {
|
|
35
|
+
"export": "awsLambdaHandler",
|
|
36
|
+
"module": "$import(@zuplo/runtime)",
|
|
37
|
+
"options": { "region": "us-east-1", "functionName": "my-function" }
|
|
38
|
+
},
|
|
39
|
+
"policies": { "inbound": ["upstream-aws-federated-auth"] }
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
### With custom code
|
|
47
|
+
|
|
48
|
+
```typescript
|
|
49
|
+
import { AwsClient } from "@zuplo/runtime/aws";
|
|
50
|
+
import { ZuploContext, ZuploRequest } from "@zuplo/runtime";
|
|
51
|
+
|
|
52
|
+
export default async function (request: ZuploRequest, context: ZuploContext) {
|
|
53
|
+
const aws = AwsClient.fromContext(context, {
|
|
54
|
+
service: "execute-api",
|
|
55
|
+
region: "us-east-1",
|
|
56
|
+
});
|
|
57
|
+
return aws.fetch(
|
|
58
|
+
"https://abc123.execute-api.us-east-1.amazonaws.com/prod/orders"
|
|
59
|
+
);
|
|
60
|
+
}
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
## Configuration
|
|
64
|
+
|
|
65
|
+
```json
|
|
66
|
+
{
|
|
67
|
+
"name": "upstream-aws-federated-auth",
|
|
68
|
+
"policyType": "upstream-aws-federated-auth",
|
|
69
|
+
"handler": {
|
|
70
|
+
"export": "UpstreamAwsFederatedAuthInboundPolicy",
|
|
71
|
+
"module": "$import(@zuplo/runtime)",
|
|
72
|
+
"options": {
|
|
73
|
+
"roleArn": "arn:aws:iam::123456789012:role/zuplo-gateway",
|
|
74
|
+
"region": "us-east-1"
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
```
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
Authenticate to AWS upstreams with **no stored AWS keys** using Workload
|
|
2
|
+
Identity Federation. This policy exchanges Zuplo's ambient OIDC identity for an
|
|
3
|
+
IAM role's short-lived temporary credentials via STS AssumeRoleWithWebIdentity,
|
|
4
|
+
and makes them available to the AWS Lambda handler and to custom code, which
|
|
5
|
+
sign upstream requests with AWS Signature Version 4.
|
|
6
|
+
|
|
7
|
+
With this policy, you'll benefit from:
|
|
8
|
+
|
|
9
|
+
- **No Long-Lived Secrets**: No AWS access keys are stored anywhere — the
|
|
10
|
+
gateway proves its identity with a short-lived, audience-bound OIDC token
|
|
11
|
+
- **Least Privilege**: Assume a specific IAM role whose trust policy trusts only
|
|
12
|
+
the Zuplo OIDC identity provider
|
|
13
|
+
- **Automatic Token Management**: Temporary credentials are cached in memory and
|
|
14
|
+
refreshed before they expire
|
|
15
|
+
- **Reusable Credentials**: Resolve credentials once and use them from the AWS
|
|
16
|
+
Lambda handler or your own code via `AwsClient.fromContext(context)`
|
|
17
|
+
|
|
18
|
+
To set this up you configure an IAM OIDC identity provider that trusts Zuplo's
|
|
19
|
+
issuer, and an IAM role whose trust policy permits AssumeRoleWithWebIdentity for
|
|
20
|
+
that provider.
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "https://cdn.zuplo.com/policies/runtime/schemas/upstream-aws-federated-auth-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Upstream AWS Federated Auth",
|
|
6
|
+
"isDeprecated": false,
|
|
7
|
+
"isPaidAddOn": false,
|
|
8
|
+
"isEnterprise": true,
|
|
9
|
+
"isInternal": false,
|
|
10
|
+
"isBeta": true,
|
|
11
|
+
"isHidden": false,
|
|
12
|
+
"requiresAI": false,
|
|
13
|
+
"products": ["api-gateway"],
|
|
14
|
+
"description": "Resolves AWS credentials with STS AssumeRoleWithWebIdentity using Zuplo's ambient OIDC identity — no AWS keys are stored anywhere. The role's trust policy must trust the Zuplo OIDC identity provider. Resolved credentials are registered on the request context for the AWS Lambda handler and custom code to sign upstream requests with `AwsClient.fromContext`. This policy does not itself sign or forward the request.",
|
|
15
|
+
"deprecatedMessage": "",
|
|
16
|
+
"required": ["handler"],
|
|
17
|
+
"properties": {
|
|
18
|
+
"handler": {
|
|
19
|
+
"type": "object",
|
|
20
|
+
"default": {},
|
|
21
|
+
"required": ["export", "module", "options"],
|
|
22
|
+
"properties": {
|
|
23
|
+
"export": {
|
|
24
|
+
"const": "UpstreamAwsFederatedAuthInboundPolicy",
|
|
25
|
+
"description": "The name of the exported type"
|
|
26
|
+
},
|
|
27
|
+
"module": {
|
|
28
|
+
"const": "$import(@zuplo/runtime)",
|
|
29
|
+
"description": "The module containing the policy"
|
|
30
|
+
},
|
|
31
|
+
"options": {
|
|
32
|
+
"title": "UpstreamAwsFederatedAuthInboundPolicyOptions",
|
|
33
|
+
"type": "object",
|
|
34
|
+
"description": "The options for this policy.",
|
|
35
|
+
"additionalProperties": false,
|
|
36
|
+
"required": ["roleArn", "region"],
|
|
37
|
+
"properties": {
|
|
38
|
+
"roleArn": {
|
|
39
|
+
"type": "string",
|
|
40
|
+
"examples": ["arn:aws:iam::123456789012:role/zuplo-gateway"],
|
|
41
|
+
"description": "The IAM role to assume with STS AssumeRoleWithWebIdentity. The role's trust policy must trust the Zuplo OIDC identity provider."
|
|
42
|
+
},
|
|
43
|
+
"region": {
|
|
44
|
+
"type": "string",
|
|
45
|
+
"examples": ["us-east-1"],
|
|
46
|
+
"description": "The AWS region used for the STS endpoint and as the default signing region for consumers of the resolved credentials."
|
|
47
|
+
},
|
|
48
|
+
"audience": {
|
|
49
|
+
"type": "string",
|
|
50
|
+
"default": "sts.amazonaws.com",
|
|
51
|
+
"x-show-example": false,
|
|
52
|
+
"description": "The audience ('aud' claim) of the Zuplo-issued OIDC token. Must match a client ID configured on the IAM OIDC identity provider."
|
|
53
|
+
},
|
|
54
|
+
"roleSessionName": {
|
|
55
|
+
"type": "string",
|
|
56
|
+
"default": "zuplo-gateway",
|
|
57
|
+
"x-show-example": false,
|
|
58
|
+
"description": "The STS role session name recorded in AWS CloudTrail. Must match the pattern \\[\\\\w+=,.@-\\]{2,64}."
|
|
59
|
+
},
|
|
60
|
+
"durationSeconds": {
|
|
61
|
+
"type": "number",
|
|
62
|
+
"default": 3600,
|
|
63
|
+
"x-show-example": false,
|
|
64
|
+
"description": "The lifetime in seconds of the temporary credentials requested from STS (900-43200). The assumed role's maximum session duration may further limit this value."
|
|
65
|
+
},
|
|
66
|
+
"stsEndpoint": {
|
|
67
|
+
"type": "string",
|
|
68
|
+
"x-show-example": false,
|
|
69
|
+
"description": "Overrides the STS endpoint URL. Only needed for non-standard partitions such as AWS GovCloud or AWS China."
|
|
70
|
+
},
|
|
71
|
+
"tokenRetries": {
|
|
72
|
+
"type": "number",
|
|
73
|
+
"default": 3,
|
|
74
|
+
"x-show-example": false,
|
|
75
|
+
"description": "The number of times to retry fetching temporary credentials in the event of a failure."
|
|
76
|
+
},
|
|
77
|
+
"expirationOffsetSeconds": {
|
|
78
|
+
"type": "number",
|
|
79
|
+
"default": 300,
|
|
80
|
+
"x-show-example": false,
|
|
81
|
+
"description": "The number of seconds before credential expiration at which cached credentials are discarded and refreshed."
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
},
|
|
86
|
+
"examples": [
|
|
87
|
+
{
|
|
88
|
+
"export": "UpstreamAwsFederatedAuthInboundPolicy",
|
|
89
|
+
"module": "$import(@zuplo/runtime)",
|
|
90
|
+
"options": {
|
|
91
|
+
"region": "us-east-1",
|
|
92
|
+
"roleArn": "arn:aws:iam::123456789012:role/zuplo-gateway"
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
]
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
}
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
## Overview
|
|
2
|
+
|
|
3
|
+
The Upstream AWS Service Auth policy resolves AWS credentials and registers them
|
|
4
|
+
on the request context. Unlike the other upstream auth policies, it does **not**
|
|
5
|
+
add an `Authorization` header itself — AWS Signature Version 4 signs the exact
|
|
6
|
+
final request (method, host, path, query and body hash), which is only known
|
|
7
|
+
inside the handler. Instead, the AWS Lambda handler and your own code read the
|
|
8
|
+
resolved credentials and sign the requests they build.
|
|
9
|
+
|
|
10
|
+
There are two modes:
|
|
11
|
+
|
|
12
|
+
- **Static credentials** — the configured `accessKeyId` / `secretAccessKey`
|
|
13
|
+
(and optional `sessionToken`) are used directly.
|
|
14
|
+
- **Assumed role** — when `roleArn` is set, the policy calls STS `AssumeRole`
|
|
15
|
+
(signed with the configured keys) and uses the role's short-lived temporary
|
|
16
|
+
credentials. These are cached in memory and refreshed before they expire.
|
|
17
|
+
|
|
18
|
+
## Using the credentials
|
|
19
|
+
|
|
20
|
+
### With the AWS Lambda handler
|
|
21
|
+
|
|
22
|
+
Attach this policy to a route whose handler is `awsLambdaHandler`, and omit the
|
|
23
|
+
handler's own `accessKeyId` / `secretAccessKey`. The handler will use the
|
|
24
|
+
credentials resolved by the policy.
|
|
25
|
+
|
|
26
|
+
```json
|
|
27
|
+
{
|
|
28
|
+
"paths": {
|
|
29
|
+
"/lambda/{path}*": {
|
|
30
|
+
"x-zuplo-route": {
|
|
31
|
+
"handler": {
|
|
32
|
+
"export": "awsLambdaHandler",
|
|
33
|
+
"module": "$import(@zuplo/runtime)",
|
|
34
|
+
"options": {
|
|
35
|
+
"region": "us-east-1",
|
|
36
|
+
"functionName": "my-function"
|
|
37
|
+
}
|
|
38
|
+
},
|
|
39
|
+
"policies": { "inbound": ["upstream-aws-service-auth"] }
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
### With custom code (for example, API Gateway with IAM auth, or S3)
|
|
47
|
+
|
|
48
|
+
Attach the policy, then sign outbound requests with `AwsClient.fromContext`:
|
|
49
|
+
|
|
50
|
+
```typescript
|
|
51
|
+
import { AwsClient } from "@zuplo/runtime/aws";
|
|
52
|
+
import { ZuploContext, ZuploRequest } from "@zuplo/runtime";
|
|
53
|
+
|
|
54
|
+
export default async function (request: ZuploRequest, context: ZuploContext) {
|
|
55
|
+
const aws = AwsClient.fromContext(context, {
|
|
56
|
+
service: "execute-api",
|
|
57
|
+
region: "us-east-1",
|
|
58
|
+
});
|
|
59
|
+
return aws.fetch(
|
|
60
|
+
"https://abc123.execute-api.us-east-1.amazonaws.com/prod/orders"
|
|
61
|
+
);
|
|
62
|
+
}
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
If a route does not attach the policy, you can run it on demand from custom code
|
|
66
|
+
with `await context.invokeInboundPolicy("upstream-aws-service-auth", request)`
|
|
67
|
+
before calling `AwsClient.fromContext`.
|
|
68
|
+
|
|
69
|
+
## Configuration
|
|
70
|
+
|
|
71
|
+
```json
|
|
72
|
+
{
|
|
73
|
+
"name": "upstream-aws-service-auth",
|
|
74
|
+
"policyType": "upstream-aws-service-auth",
|
|
75
|
+
"handler": {
|
|
76
|
+
"export": "UpstreamAwsServiceAuthInboundPolicy",
|
|
77
|
+
"module": "$import(@zuplo/runtime)",
|
|
78
|
+
"options": {
|
|
79
|
+
"accessKeyId": "$env(AWS_ACCESS_KEY_ID)",
|
|
80
|
+
"secretAccessKey": "$env(AWS_SECRET_ACCESS_KEY)",
|
|
81
|
+
"region": "us-east-1",
|
|
82
|
+
"roleArn": "arn:aws:iam::123456789012:role/my-gateway-role"
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
Store `accessKeyId` and `secretAccessKey` in environment variables using
|
|
89
|
+
`$env(...)` — never commit them to source.
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
Authenticate to AWS upstreams using an IAM access key pair, optionally exchanged
|
|
2
|
+
for an IAM role's temporary credentials via STS AssumeRole. This policy resolves
|
|
3
|
+
AWS credentials and makes them available to the AWS Lambda handler and to custom
|
|
4
|
+
code, which sign upstream requests with AWS Signature Version 4.
|
|
5
|
+
|
|
6
|
+
With this policy, you'll benefit from:
|
|
7
|
+
|
|
8
|
+
- **Reusable Credentials**: Resolve AWS credentials once and use them from the
|
|
9
|
+
AWS Lambda handler or your own code via `AwsClient.fromContext(context)`
|
|
10
|
+
- **Role Assumption**: Optionally assume an IAM role (STS AssumeRole) to obtain
|
|
11
|
+
short-lived, least-privilege temporary credentials
|
|
12
|
+
- **Automatic Token Management**: Temporary credentials are cached in memory and
|
|
13
|
+
refreshed before they expire
|
|
14
|
+
- **Credential Security**: Store access keys securely in your Zuplo environment
|
|
15
|
+
and keep them out of source control
|
|
16
|
+
|
|
17
|
+
To avoid storing any long-lived AWS keys at all, use the
|
|
18
|
+
`upstream-aws-federated-auth` policy instead, which uses Workload Identity
|
|
19
|
+
Federation.
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "https://cdn.zuplo.com/policies/runtime/schemas/upstream-aws-service-auth-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Upstream AWS Service Auth",
|
|
6
|
+
"isDeprecated": false,
|
|
7
|
+
"isPaidAddOn": false,
|
|
8
|
+
"isEnterprise": true,
|
|
9
|
+
"isInternal": false,
|
|
10
|
+
"isBeta": true,
|
|
11
|
+
"isHidden": false,
|
|
12
|
+
"requiresAI": false,
|
|
13
|
+
"products": ["api-gateway"],
|
|
14
|
+
"description": "Resolves AWS credentials from static access keys (optionally exchanged for an IAM role's temporary credentials via STS AssumeRole) and registers them on the request context. The AWS Lambda handler and custom code read them with `AwsClient.fromContext` to sign upstream requests. This policy does not itself sign or forward the request.",
|
|
15
|
+
"deprecatedMessage": "",
|
|
16
|
+
"required": ["handler"],
|
|
17
|
+
"properties": {
|
|
18
|
+
"handler": {
|
|
19
|
+
"type": "object",
|
|
20
|
+
"default": {},
|
|
21
|
+
"required": ["export", "module", "options"],
|
|
22
|
+
"properties": {
|
|
23
|
+
"export": {
|
|
24
|
+
"const": "UpstreamAwsServiceAuthInboundPolicy",
|
|
25
|
+
"description": "The name of the exported type"
|
|
26
|
+
},
|
|
27
|
+
"module": {
|
|
28
|
+
"const": "$import(@zuplo/runtime)",
|
|
29
|
+
"description": "The module containing the policy"
|
|
30
|
+
},
|
|
31
|
+
"options": {
|
|
32
|
+
"title": "UpstreamAwsServiceAuthInboundPolicyOptions",
|
|
33
|
+
"type": "object",
|
|
34
|
+
"description": "The options for this policy.",
|
|
35
|
+
"additionalProperties": false,
|
|
36
|
+
"required": ["accessKeyId", "secretAccessKey", "region"],
|
|
37
|
+
"properties": {
|
|
38
|
+
"accessKeyId": {
|
|
39
|
+
"type": "string",
|
|
40
|
+
"examples": ["$env(AWS_ACCESS_KEY_ID)"],
|
|
41
|
+
"description": "The AWS access key ID. Store the value in an environment variable rather than in source."
|
|
42
|
+
},
|
|
43
|
+
"secretAccessKey": {
|
|
44
|
+
"type": "string",
|
|
45
|
+
"examples": ["$env(AWS_SECRET_ACCESS_KEY)"],
|
|
46
|
+
"description": "The AWS secret access key. Always store this in an environment variable."
|
|
47
|
+
},
|
|
48
|
+
"region": {
|
|
49
|
+
"type": "string",
|
|
50
|
+
"examples": ["us-east-1"],
|
|
51
|
+
"description": "The AWS region. Used for the STS endpoint when 'roleArn' is set, and as the default signing region for consumers of the resolved credentials."
|
|
52
|
+
},
|
|
53
|
+
"sessionToken": {
|
|
54
|
+
"type": "string",
|
|
55
|
+
"x-show-example": false,
|
|
56
|
+
"description": "The AWS session token, required only when the configured access key pair is itself a temporary credential."
|
|
57
|
+
},
|
|
58
|
+
"roleArn": {
|
|
59
|
+
"type": "string",
|
|
60
|
+
"x-show-example": false,
|
|
61
|
+
"description": "An IAM role to assume using STS AssumeRole with the configured access keys. When set, the resolved credentials are the role's temporary credentials instead of the static keys."
|
|
62
|
+
},
|
|
63
|
+
"externalId": {
|
|
64
|
+
"type": "string",
|
|
65
|
+
"x-show-example": false,
|
|
66
|
+
"description": "The external ID to pass to STS AssumeRole when the role's trust policy requires one."
|
|
67
|
+
},
|
|
68
|
+
"roleSessionName": {
|
|
69
|
+
"type": "string",
|
|
70
|
+
"default": "zuplo-gateway",
|
|
71
|
+
"x-show-example": false,
|
|
72
|
+
"description": "The STS role session name recorded in AWS CloudTrail. Must match the pattern \\[\\\\w+=,.@-\\]{2,64}."
|
|
73
|
+
},
|
|
74
|
+
"durationSeconds": {
|
|
75
|
+
"type": "number",
|
|
76
|
+
"default": 3600,
|
|
77
|
+
"x-show-example": false,
|
|
78
|
+
"description": "The lifetime in seconds of the temporary credentials requested from STS (900-43200). The assumed role's maximum session duration may further limit this value."
|
|
79
|
+
},
|
|
80
|
+
"stsEndpoint": {
|
|
81
|
+
"type": "string",
|
|
82
|
+
"x-show-example": false,
|
|
83
|
+
"description": "Overrides the STS endpoint URL. Only needed for non-standard partitions such as AWS GovCloud or AWS China."
|
|
84
|
+
},
|
|
85
|
+
"tokenRetries": {
|
|
86
|
+
"type": "number",
|
|
87
|
+
"default": 3,
|
|
88
|
+
"x-show-example": false,
|
|
89
|
+
"description": "The number of times to retry fetching temporary credentials in the event of a failure."
|
|
90
|
+
},
|
|
91
|
+
"expirationOffsetSeconds": {
|
|
92
|
+
"type": "number",
|
|
93
|
+
"default": 300,
|
|
94
|
+
"x-show-example": false,
|
|
95
|
+
"description": "The number of seconds before credential expiration at which cached credentials are discarded and refreshed."
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
},
|
|
100
|
+
"examples": [
|
|
101
|
+
{
|
|
102
|
+
"export": "UpstreamAwsServiceAuthInboundPolicy",
|
|
103
|
+
"module": "$import(@zuplo/runtime)",
|
|
104
|
+
"options": {
|
|
105
|
+
"accessKeyId": "$env(AWS_ACCESS_KEY_ID)",
|
|
106
|
+
"region": "us-east-1",
|
|
107
|
+
"secretAccessKey": "$env(AWS_SECRET_ACCESS_KEY)"
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
]
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
}
|
|
@@ -41,12 +41,12 @@
|
|
|
41
41
|
"properties": {
|
|
42
42
|
"activeDirectoryTenantId": {
|
|
43
43
|
"type": "string",
|
|
44
|
-
"examples": ["
|
|
44
|
+
"examples": ["11111111-1111-1111-1111-111111111111"],
|
|
45
45
|
"description": "Azure Active Directory Tenant ID."
|
|
46
46
|
},
|
|
47
47
|
"activeDirectoryClientId": {
|
|
48
48
|
"type": "string",
|
|
49
|
-
"examples": ["
|
|
49
|
+
"examples": ["22222222-2222-2222-2222-222222222222"],
|
|
50
50
|
"description": "The Application (client) ID of the Azure AD App Registration."
|
|
51
51
|
},
|
|
52
52
|
"activeDirectoryClientSecret": {
|
|
@@ -72,9 +72,9 @@
|
|
|
72
72
|
"export": "UpstreamAzureAdServiceAuthInboundPolicy",
|
|
73
73
|
"module": "$import(@zuplo/runtime)",
|
|
74
74
|
"options": {
|
|
75
|
-
"activeDirectoryClientId": "
|
|
75
|
+
"activeDirectoryClientId": "22222222-2222-2222-2222-222222222222",
|
|
76
76
|
"activeDirectoryClientSecret": "$env(ACTIVE_DIRECTORY_CLIENT_SECRET)",
|
|
77
|
-
"activeDirectoryTenantId": "
|
|
77
|
+
"activeDirectoryTenantId": "11111111-1111-1111-1111-111111111111",
|
|
78
78
|
"expirationOffsetSeconds": 300,
|
|
79
79
|
"tokenRetries": 3
|
|
80
80
|
}
|
|
@@ -130,9 +130,9 @@ With GCP Workload Federation setup, you can add the policy to your Zuplo API.
|
|
|
130
130
|
"module": "$import(@zuplo/runtime)",
|
|
131
131
|
"export": "UpstreamGcpFederatedAuthInboundPolicy",
|
|
132
132
|
"options": {
|
|
133
|
-
"audience": "https://
|
|
133
|
+
"audience": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app",
|
|
134
134
|
"serviceAccountEmail": "zup-api@my-project.iam.gserviceaccount.com",
|
|
135
|
-
"workloadIdentityProvider": "projects/
|
|
135
|
+
"workloadIdentityProvider": "projects/1234567890/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
|
|
136
136
|
}
|
|
137
137
|
}
|
|
138
138
|
}
|
|
@@ -41,7 +41,7 @@
|
|
|
41
41
|
"properties": {
|
|
42
42
|
"audience": {
|
|
43
43
|
"type": "string",
|
|
44
|
-
"examples": ["https://
|
|
44
|
+
"examples": ["https://my-backend-api-a1b2c3d4e5-uc.a.run.app"],
|
|
45
45
|
"description": "The audience for the minted JWT. This is typically the URL of your service. See the document [AuthRequirement](https://cloud.google.com/endpoints/docs/grpc-service-config/reference/rpc/google.api#google.api.AuthRequirement) for details."
|
|
46
46
|
},
|
|
47
47
|
"serviceAccountEmail": {
|
|
@@ -52,7 +52,7 @@
|
|
|
52
52
|
"workloadIdentityProvider": {
|
|
53
53
|
"type": "string",
|
|
54
54
|
"examples": [
|
|
55
|
-
"projects/
|
|
55
|
+
"projects/1234567890/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
|
|
56
56
|
]
|
|
57
57
|
},
|
|
58
58
|
"tokenLifetime": {
|
|
@@ -86,9 +86,9 @@
|
|
|
86
86
|
"export": "UpstreamGcpFederatedAuthInboundPolicy",
|
|
87
87
|
"module": "$import(@zuplo/runtime)",
|
|
88
88
|
"options": {
|
|
89
|
-
"audience": "https://
|
|
89
|
+
"audience": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app",
|
|
90
90
|
"serviceAccountEmail": "zup-api@my-project.iam.gserviceaccount.com",
|
|
91
|
-
"workloadIdentityProvider": "projects/
|
|
91
|
+
"workloadIdentityProvider": "projects/1234567890/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
|
|
92
92
|
}
|
|
93
93
|
}
|
|
94
94
|
]
|
|
@@ -50,7 +50,7 @@ protected by Identity Aware Proxy (IAP), use the `audience` property:
|
|
|
50
50
|
"export": "UpstreamGcpServiceAuthInboundPolicy",
|
|
51
51
|
"module": "$import(@zuplo/runtime)",
|
|
52
52
|
"options": {
|
|
53
|
-
"audience": "https://my-
|
|
53
|
+
"audience": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app",
|
|
54
54
|
"serviceAccountJson": "$env(GCP_SERVICE_ACCOUNT)"
|
|
55
55
|
}
|
|
56
56
|
}
|
|
@@ -59,7 +59,7 @@ protected by Identity Aware Proxy (IAP), use the `audience` property:
|
|
|
59
59
|
**Audience Values:**
|
|
60
60
|
|
|
61
61
|
- For **Cloud Run**: Use the full URL of your Cloud Run service (e.g.,
|
|
62
|
-
`https://my-
|
|
62
|
+
`https://my-backend-api-a1b2c3d4e5-uc.a.run.app`)
|
|
63
63
|
- For **Identity Aware Proxy**: Use the Client ID of your OAuth application
|
|
64
64
|
- For **Cloud Functions**: Use the full URL of your function
|
|
65
65
|
|
|
@@ -109,7 +109,7 @@ Apply the policy to routes that need to access your Cloud Run service:
|
|
|
109
109
|
"export": "forwardToOrigin",
|
|
110
110
|
"module": "$import(@zuplo/runtime)",
|
|
111
111
|
"options": {
|
|
112
|
-
"baseUrl": "https://my-
|
|
112
|
+
"baseUrl": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app"
|
|
113
113
|
}
|
|
114
114
|
}
|
|
115
115
|
}
|
|
@@ -37,8 +37,8 @@
|
|
|
37
37
|
"properties": {
|
|
38
38
|
"audience": {
|
|
39
39
|
"type": "string",
|
|
40
|
-
"examples": ["https://my-
|
|
41
|
-
"description": "The audience for the service to be called. This is typically the URL of your service endpoint like 'https://my-
|
|
40
|
+
"examples": ["https://my-backend-api-a1b2c3d4e5-uc.a.run.app"],
|
|
41
|
+
"description": "The audience for the service to be called. This is typically the URL of your service endpoint like 'https://my-backend-api-a1b2c3d4e5-uc.a.run.app'. If calling a Google API, leave this empty."
|
|
42
42
|
},
|
|
43
43
|
"scopes": {
|
|
44
44
|
"type": "array",
|
|
@@ -91,7 +91,7 @@
|
|
|
91
91
|
"export": "UpstreamGcpServiceAuthInboundPolicy",
|
|
92
92
|
"module": "$import(@zuplo/runtime)",
|
|
93
93
|
"options": {
|
|
94
|
-
"audience": "https://my-
|
|
94
|
+
"audience": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app",
|
|
95
95
|
"scopes": ["https://www.googleapis.com/auth/cloud-platform"],
|
|
96
96
|
"serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)"
|
|
97
97
|
}
|
|
@@ -40,6 +40,25 @@
|
|
|
40
40
|
"examples": ["https://api.example.com", "my-service"],
|
|
41
41
|
"description": "The audience claim for the JWT."
|
|
42
42
|
},
|
|
43
|
+
"subject": {
|
|
44
|
+
"type": "string",
|
|
45
|
+
"examples": ["zuplo-gateway"],
|
|
46
|
+
"x-show-example": false,
|
|
47
|
+
"description": "The subject ('sub') claim for the minted JWT. Identifies the acting subject of the token (typically the gateway itself)."
|
|
48
|
+
},
|
|
49
|
+
"claimsFromUser": {
|
|
50
|
+
"type": "object",
|
|
51
|
+
"additionalProperties": {
|
|
52
|
+
"type": "string"
|
|
53
|
+
},
|
|
54
|
+
"examples": [
|
|
55
|
+
{
|
|
56
|
+
"caller": "sub"
|
|
57
|
+
}
|
|
58
|
+
],
|
|
59
|
+
"x-show-example": false,
|
|
60
|
+
"description": "Maps claims in the minted JWT to values from the authenticated user (request.user). Each key is the claim name to set; each value is a light JSON-path selector into request.user using dot or bracket notation (e.g. 'sub', 'data.role', or 'data\\[\"https://example.com/claim\"\\]' for keys containing dots or slashes). When set, the policy requires an authenticated user and returns 401 if request.user is absent — it never mints a token with missing identity."
|
|
61
|
+
},
|
|
43
62
|
"headerName": {
|
|
44
63
|
"type": "string",
|
|
45
64
|
"default": "Authorization",
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "zuplo",
|
|
3
|
-
"version": "6.72.
|
|
3
|
+
"version": "6.72.7",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "The programmable API Gateway",
|
|
6
6
|
"author": "Zuplo, Inc.",
|
|
@@ -19,9 +19,9 @@
|
|
|
19
19
|
"zuplo": "zuplo.js"
|
|
20
20
|
},
|
|
21
21
|
"dependencies": {
|
|
22
|
-
"@zuplo/cli": "6.72.
|
|
23
|
-
"@zuplo/core": "6.72.
|
|
24
|
-
"@zuplo/runtime": "6.72.
|
|
22
|
+
"@zuplo/cli": "6.72.7",
|
|
23
|
+
"@zuplo/core": "6.72.7",
|
|
24
|
+
"@zuplo/runtime": "6.72.7",
|
|
25
25
|
"@zuplo/test": "1.4.0"
|
|
26
26
|
}
|
|
27
27
|
}
|