Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

client certificate as cacheKeyParameters

See original GitHub issue

Hi, I’m writing APIs that use MTLS (client certificates) as authentication, I would like to cache results based on that property (i.e. cache per client), I tried:

  enabled: true
  ttlInSeconds: 60
    - name: request.requestContext.identity.clientCert.serialNumber

but fails with Invalid mapping expression

For reference, this is the event my lambda receives:

  "event": {
    "resource": "/v1/...",
    "path": "/v1/...",
    "httpMethod": "GET",
    "headers": {
      "accept": "*/*",
      "accept-encoding": "gzip, deflate, br",
      "cache-control": "no-cache",
      "User-Agent": "PostmanRuntime/7.28.2"
    "multiValueHeaders": {
      "accept": [
      "accept-encoding": [
        "gzip, deflate, br"
      "cache-control": [
      "User-Agent": [
    "queryStringParameters": null,
    "multiValueQueryStringParameters": null,
    "pathParameters": null,
    "stageVariables": null,
    "requestContext": {
      "resourceId": "yzpjp5",
      "resourcePath": "/v1/...",
      "httpMethod": "GET",
      "extendedRequestId": "PCkYaG3ziYcFouQ=",
      "requestTime": "15/Mar/2022:19:22:16 +0000",
      "path": "/v1/...",
      "accountId": "105843011380",
      "protocol": "HTTP/1.1",
      "stage": "dev",
      "domainPrefix": "core",
      "requestTimeEpoch": 1647372136811,
      "requestId": "1cfff372-3db0-4ad0-a023-46c570c8adeb",
      "identity": {
        "cognitoIdentityPoolId": null,
        "clientCert": {
          "clientCertPem": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
          "serialNumber": "620155093573104977087960001264040226218798030419",
          "issuerDN": "CN=...",
          "validity": {
            "notAfter": "Mar  3 20:27:42 2023 GMT",
            "notBefore": "Mar  3 20:27:43 2022 GMT"
          "subjectDN": "CN=acme,O=acme"
        "cognitoIdentityId": null,
        "principalOrgId": null,
        "cognitoAuthenticationType": null,
        "userArn": null,
        "userAgent": "PostmanRuntime/7.28.2",
        "accountId": null,
        "caller": null,
        "accessKey": null,
        "cognitoAuthenticationProvider": null,
        "user": null
      "apiId": "lz44gudovl"
    "body": null,
    "isBase64Encoded": false

Is this possible? Thanks

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

DianaIonitacommented, Apr 25, 2022

Hi @andres-ntropy

Thank you for the information provided. You’re right, the AWS_PROXY integration type check doesn’t seem required. If I recall correctly, it was added to support cache key parameters coming from the body of a request. However, I ran some tests and it doesn’t make a difference whether it’s AWS or AWS_PROXY, the cache key parameters are still properly configured.

I have therefore released v1.8.0 of the plugin which removes that check.

Feel free to reopen this issue if it doesn’t solve your problem.

DianaIonitacommented, Oct 28, 2022

Hi @tulsidas, That’s unfortunate 😦 Thank you for the update.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Generate and configure an SSL certificate for backend ...
Generate a client certificate using the API Gateway consoleConfigure an API to use SSL certificatesTest invoke to verify the client certificate ...
Read more >
types - Go Packages
type CanarySettings; type ClientCertificate; type ConflictException ... To be valid values // for cacheKeyParameters, these parameters must also be ...
Read more >
Client Certificate - Trend Micro
Use client-side SSL certificates for HTTP backend authentication within AWS API Gateway.
Read more >
generate-client-certificate — AWS CLI 2.9.5 Command ...
generate-client-certificate¶. Description¶. Generates a ClientCertificate resource. See also: AWS API Documentation. Synopsis ...
Read more >
Mutual TLS with Commercial Client Certificates | AWS re:Post
So Client Cert is downloaded to your system, to authenticate a request from AWS API Gateway... can you dig into why you'd want...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found