Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

client certificate as cacheKeyParameters

See original GitHub issue

Hi, I’m writing APIs that use MTLS (client certificates) as authentication, I would like to cache results based on that property (i.e. cache per client), I tried:

caching:
  enabled: true
  ttlInSeconds: 60
  cacheKeyParameters:
    - name: request.requestContext.identity.clientCert.serialNumber

but fails with Invalid mapping expression

For reference, this is the event my lambda receives:

{
  "event": {
    "resource": "/v1/...",
    "path": "/v1/...",
    "httpMethod": "GET",
    "headers": {
      "accept": "*/*",
      "accept-encoding": "gzip, deflate, br",
      "cache-control": "no-cache",
      "User-Agent": "PostmanRuntime/7.28.2"
    },
    "multiValueHeaders": {
      "accept": [
        "*/*"
      ],
      "accept-encoding": [
        "gzip, deflate, br"
      ],
      "cache-control": [
        "no-cache"
      ],
      "User-Agent": [
        "PostmanRuntime/7.28.2"
      ]
    },
    "queryStringParameters": null,
    "multiValueQueryStringParameters": null,
    "pathParameters": null,
    "stageVariables": null,
    "requestContext": {
      "resourceId": "yzpjp5",
      "resourcePath": "/v1/...",
      "httpMethod": "GET",
      "extendedRequestId": "PCkYaG3ziYcFouQ=",
      "requestTime": "15/Mar/2022:19:22:16 +0000",
      "path": "/v1/...",
      "accountId": "105843011380",
      "protocol": "HTTP/1.1",
      "stage": "dev",
      "domainPrefix": "core",
      "requestTimeEpoch": 1647372136811,
      "requestId": "1cfff372-3db0-4ad0-a023-46c570c8adeb",
      "identity": {
        "cognitoIdentityPoolId": null,
        "clientCert": {
          "clientCertPem": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
          "serialNumber": "620155093573104977087960001264040226218798030419",
          "issuerDN": "CN=...",
          "validity": {
            "notAfter": "Mar  3 20:27:42 2023 GMT",
            "notBefore": "Mar  3 20:27:43 2022 GMT"
          },
          "subjectDN": "CN=acme,O=acme"
        },
        "cognitoIdentityId": null,
        "principalOrgId": null,
        "cognitoAuthenticationType": null,
        "userArn": null,
        "userAgent": "PostmanRuntime/7.28.2",
        "accountId": null,
        "caller": null,
        "accessKey": null,
        "cognitoAuthenticationProvider": null,
        "user": null
      },
      "apiId": "lz44gudovl"
    },
    "body": null,
    "isBase64Encoded": false
  }
}

Is this possible? Thanks

Issue Analytics

State:
Created 2 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

DianaIonitacommented, Apr 25, 2022

Hi @andres-ntropy

Thank you for the information provided. You’re right, the AWS_PROXY integration type check doesn’t seem required. If I recall correctly, it was added to support cache key parameters coming from the body of a request. However, I ran some tests and it doesn’t make a difference whether it’s AWS or AWS_PROXY, the cache key parameters are still properly configured.

I have therefore released v1.8.0 of the plugin which removes that check.

Feel free to reopen this issue if it doesn’t solve your problem.

0reactions

DianaIonitacommented, Oct 28, 2022

Hi @tulsidas, That’s unfortunate 😦 Thank you for the update.

Top Results From Across the Web

Generate and configure an SSL certificate for backend ...

Generate a client certificate using the API Gateway consoleConfigure an API to use SSL certificatesTest invoke to verify the client certificate ...

types - Go Packages

type CanarySettings; type ClientCertificate; type ConflictException ... To be valid values // for cacheKeyParameters, these parameters must also be ...

Client Certificate - Trend Micro

Use client-side SSL certificates for HTTP backend authentication within AWS API Gateway.

generate-client-certificate — AWS CLI 2.9.5 Command ...

generate-client-certificate¶. Description¶. Generates a ClientCertificate resource. See also: AWS API Documentation. Synopsis ...

Mutual TLS with Commercial Client Certificates | AWS re:Post

So Client Cert is downloaded to your system, to authenticate a request from AWS API Gateway... can you dig into why you'd want...