Skip to content

fix(aws-lambda): IAM auth fails with URL-encoded or multi-value query parameters#13520

Merged
nic-6443 merged 1 commit into
apache:masterfrom
nic-6443:fix/aws-lambda-sigv4-query-11097
Jun 12, 2026
Merged

fix(aws-lambda): IAM auth fails with URL-encoded or multi-value query parameters#13520
nic-6443 merged 1 commit into
apache:masterfrom
nic-6443:fix/aws-lambda-sigv4-query-11097

Conversation

@nic-6443

Copy link
Copy Markdown
Member

Description

When the aws-lambda plugin uses IAM authorization and the client request carries any query parameter that needs URL encoding (e.g. a space), AWS rejects the invocation with 403 InvalidSignatureException.

The root cause is in the canonical query string construction: core.request.get_uri_args() already returns percent-decoded args, the plugin runs ngx.unescape_uri() over them and signs the decoded string, while the query actually sent on the wire is re-encoded by lua-resty-http (ngx.encode_args on the table). So the signature is computed over different bytes than what AWS receives, e.g. with space=a/b c is signed but with%20space=a%2Fb%20c is sent. The same lines also corrupt the canonical string for repeated args (the table value is stringified to table: 0x...) and for valueless args (?flag is signed as flag=true but sent as flag).

This PR builds the canonical query string per the SigV4 spec: every name and value is percent-encoded with the RFC3986 unreserved set (AWS UriEncode rules), repeated args are expanded into one pair per value, a valueless arg gets an empty value, and the pairs are sorted by encoded name then encoded value. The plugin now also passes this exact string as params.query — lua-resty-http sends a string query through unmodified — so the signed query string and the wire query string are identical by construction.

The new test emulates the AWS server-side validation: the mock rebuilds the canonical request from the request it actually received and recomputes the signature with the known secret key, so it catches any mismatch between what is signed and what is sent.

Which issue(s) this PR fixes:

Fixes #11097

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@nic-6443 nic-6443 marked this pull request as ready for review June 11, 2026 09:19
Copilot AI review requested due to automatic review settings June 11, 2026 09:19
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels Jun 11, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes AWS SigV4 (IAM) request signing in the aws-lambda plugin when the client request contains URL-encoded query parameters, repeated parameters, or valueless parameters, which previously could lead to InvalidSignatureException (403) from AWS.

Changes:

  • Implement RFC3986/AWS-compliant query parameter percent-encoding and canonical sorting for SigV4 signing in apisix/plugins/aws-lambda.lua.
  • Add a new test that emulates AWS-side SigV4 verification to catch mismatches between the request received and the signature provided (t/plugin/aws-lambda.t).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
apisix/plugins/aws-lambda.lua Reworks SigV4 canonical query string construction (encoding, multi-value expansion, valueless handling, sorting) and uses it during signature computation.
t/plugin/aws-lambda.t Adds an end-to-end regression test that recomputes SigV4 from the received request to ensure signing correctness for encoded/multi/valueless query params.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread apisix/plugins/aws-lambda.lua
@nic-6443 nic-6443 requested a review from membphis June 12, 2026 01:26
@nic-6443 nic-6443 merged commit 80b9496 into apache:master Jun 12, 2026
22 checks passed
@nic-6443 nic-6443 deleted the fix/aws-lambda-sigv4-query-11097 branch June 12, 2026 02:49
wistefan pushed a commit to wistefan/apisix that referenced this pull request Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters

5 participants