@segment/backstage-plugin-proxy-sigv4-backend
v0.3.2
Published
Backstage backend plugin that configures endpoints for signing and proxying HTTP requests with AWS SigV4
Downloads
1,222
Maintainers
Keywords
Readme
AWS SigV4 Proxy backend plugin
Backend plugin that enables proxy definitions to be declared in, and read from, app-config.yaml
(just like the
built-in proxy-backend
plugin) that will be signed using the AWS Signature Version 4 (SigV4) request-signing
algorithm.
Loosely modeled after the official AWS SigV4 Proxy project (awslabs/aws-sigv4-proxy).
Getting started
This plugin has already been added to the Backstage app in this repository, meaning you'll be able to try out
the plugin by firstly adding your Proxy Sigv4 Configuration to the app-config.yaml
located in
the root folder of this repository. After that, you should be able to access it by starting the app, and then navigating
to /api/proxy-sigv4/*.
This backend plugin can also be started in a standalone mode via yarn start
from within this package; however, it will
have limited functionality and this process is most convenient when developing the plugin itself. If you develop using
the standalone server, note that the plugin is mounted at the backend root and not under /api/
:
/proxy-sigv4/*.
Installation
Add the backend plugin as a dependency to packages/backend
yarn add --cwd packages/backend '@segment/backstage-plugin-proxy-sigv4-backend'
New Backend System
The AWS SigV4 Proxy backend plugin has support for the new backend system. In your packages/backend/src/index.ts
file, make the following changes:
import { createBackend } from '@backstage/backend-defaults';
const backend = createBackend();
// ... other feature additions
+ // proxy-sigv4 plugin installation
+ backend.add(import('@segment/backstage-plugin-proxy-sigv4-backend'));
backend.start();
Legacy Backend System
Create a new backend plugin wrapper module
If you are still using the legacy backend system, you'll need to add the plugin to the router in your backend
package.
You can do this by creating a file called packages/backend/src/plugins/proxy-sigv4.ts
. Example content for
proxy-sigv4.ts
could be something like this.
// packages/backend/src/plugins/proxy-sigv4.ts
import { createRouter } from '@segment/backstage-plugin-proxy-sigv4-backend';
import { Router } from 'express';
import { PluginEnvironment } from '../types';
export default async function createPlugin({
logger,
config,
}: PluginEnvironment): Promise<Router> {
return await createRouter({ logger, config });
}
Initialize the wrapper module and mount the router in packages/backend
With the proxy-sigv4.ts
router setup in place, add the router to packages/backend/src/index.ts
:
// packages/backend/src/index.ts
+import proxySigV4 from './plugins/proxy-sigv4';
async function main() {
...
const createEnv = makeCreateEnv(config);
...
const proxyEnv = useHotMemoize(module, () => createEnv('proxy'));
+ const proxySigV4Env = useHotMemoize(module, () => createEnv('proxy-sigv4'));
const apiRouter = Router();
apiRouter.use('/proxy', await proxy(proxyEnv));
+ apiRouter.use('/proxy-sigv4', await proxySigV4(proxySignV4Env));
...
}
Configuration
Proxy routes can be configured using either a short or expanded form.
Short form
The short form is useful when the default AWS.CredentialProviderChain
resolves to a set of AWS credentials that
have the permissions necessary to invoke the target API directly.
This is commonplace when the IAM instance profile has been configured with a role that has been granted access on
the target API and no additional AssumeRole
call is required.
This is also useful during local development when the shell environment used to start the application already has AWS credentials exported into the shell's environment variables.
proxysigv4:
'/some-local-path': https://<API ID>.execute-api.<region>.amazonaws.com
Expanded form
The expanded form is necessary when an AssumeRole
call is required, or if the target API service and region cannot
be automatically derived from the URL (commonplace when a custom domain name has been configured for an API Gateway
endpoint).
proxysigv4:
'/some-local-path':
target: 'https://<API ID>.execute-api.<region>.amazonaws.com'
roleArn: 'arn:aws:iam::<account>:role/<name>'
roleSessionName: tempAssumeRoleSession ## optional
New Auth Services - Unauthorized Requests
When using the new backend system with the new auth services, the proxy-sigv4
backend plugin will by default allow unauthenticated requests.
To prevent this behavior, provide the following configuration:
proxysigv4:
allowUnauthenticatedRequests: false
Doing so will not add the auth policty that allows unauthenticated requests.
Schema
Refer to config.d.ts
for the full plugin type definition.
Limitations
- No response streaming.
- No configuration of the forwarded or received headers allowlist.
- No ability to override or manually configure target URL
service
andregion
properties- CNAME'd endpoints are therefore not currently supported
- Target URLs that lack a trailing slash (
/
) will always have one implicitly applied.- e.g.:
https://example.com/foo
will be treated ashttps://example.com/foo/
- e.g.:
- Target URLs with a path prefix may be susceptible to path traversal attacks; test coverage for this is poor.