gravitee-io
diff --git a/‎README.adoc‎
Lines changed: 30 additions & 6 deletions b/‎README.adoc‎
Lines changed: 30 additions & 6 deletions
diff --git a/‎pom.xml‎
Lines changed: 51 additions & 0 deletions b/‎pom.xml‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎src/main/java/io/gravitee/policy/aws/lambda/AwsLambdaPolicy.java‎
Lines changed: 9 additions & 2 deletions b/‎src/main/java/io/gravitee/policy/aws/lambda/AwsLambdaPolicy.java‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎src/main/java/io/gravitee/policy/aws/lambda/AwsLambdaPolicyV3.java‎
Lines changed: 48 additions & 41 deletions b/‎src/main/java/io/gravitee/policy/aws/lambda/AwsLambdaPolicyV3.java‎
Lines changed: 48 additions & 41 deletions
diff --git a/‎src/main/java/io/gravitee/policy/aws/lambda/configuration/AwsLambdaPolicyConfiguration.java‎
Lines changed: 10 additions & 1 deletion b/‎src/main/java/io/gravitee/policy/aws/lambda/configuration/AwsLambdaPolicyConfiguration.java‎
Lines changed: 10 additions & 1 deletion
@@ -63,13 +63,13 @@ By default, the lambda is called in addition to the backend, meaning the consume
 
 .^|accessKey
 ^.^|
-|AWS Access Key
+|AWS Access Key. It can be stored in vault and referred via the Gravitee expression language.
 ^.^|string
 ^.^|-
 
 .^|secretKey
 ^.^|
-|AWS Secret Key
+|AWS Secret Key. It can be stored in vault and referred via the Gravitee expression language.
 ^.^|string
 ^.^|-
 
@@ -119,7 +119,7 @@ DryRun – Validate parameter values and verify that the user or role has permis
 
 .^|roleArn
 ^.^|-
-|The arn of the role to be assumed. This is used when authentication is relying on the AWS Security Token Service (STS) to assume a Role and create temporary, short-lived sessions to use for authentication.
+|The arn of the role to be assumed. This is used when authentication is relying on the AWS Security Token Service (STS) to assume a Role and create temporary, short-lived sessions to use for authentication. It can be stored in vault and referred via the Gravitee expression language.
 ^.^|string
 ^.^|-
 
@@ -132,10 +132,11 @@ DryRun – Validate parameter values and verify that the user or role has permis
 |===
 
 == Examples
-
+Without expression language:
 [source, json]
 ----
-"configuration": {
+{
+  "configuration": {
     "variables": [
       {
         "name": "lambdaResponse",
@@ -150,9 +151,32 @@ DryRun – Validate parameter values and verify that the user or role has permis
     "region": "us-east-1",
     "sendToConsumer": true,
     "endpoint": "http://aws-lambda-url/function"
+  }
+}
+----
+With expression language support:
+[source, json]
+----
+{
+  "configuration": {
+    "variables": [
+      {
+        "name": "lambdaResponse",
+        "value": "{#jsonPath(#lambdaResponse.content, '$')}"
+      }
+    ],
+    "secretKey": "{#secrets.get('/vault/secret/aws:secretKey')}",
+    "accessKey": "{#secrets.get('/vault/secret/aws:accessKey')}",
+    "roleArn": " {#secrets.get('/vault/secret/aws:roleArn')}",
+    "payload": "{ \"key\": \"value\" }",
+    "scope": "REQUEST",
+    "function": "lambda-example",
+    "region": "us-east-1",
+    "sendToConsumer": true,
+    "endpoint": "http://aws-lambda-url/function"
+  }
 }
 ----
-
 == Errors
 
 === Default error
 
@@ -36,9 +36,15 @@
 
     <properties>
         <gravitee-apim-bom.version>4.8.9</gravitee-apim-bom.version>
+        <gravitee-plugin.version>4.10.0</gravitee-plugin.version>
         <gravitee-entrypoint-http-get.version>2.1.0</gravitee-entrypoint-http-get.version>
         <gravitee-reactor-message.version>7.0.1</gravitee-reactor-message.version>
+        <gravitee-secretprovider-hc-vault.version>2.1.0</gravitee-secretprovider-hc-vault.version>
+        <gravitee-service-secrets.version>2.0.1</gravitee-service-secrets.version>
+        <gravitee-secret-api.version>2.0.0</gravitee-secret-api.version>
+        <testcontainers.version>1.21.3</testcontainers.version>
         <aws-java-sdk.version>2.31.26</aws-java-sdk.version>
+        <hibernate-validator.version>8.0.3.Final</hibernate-validator.version>
 
         <maven-plugin-assembly.version>3.8.0</maven-plugin-assembly.version>
         <maven-plugin-properties.version>1.2.1</maven-plugin-properties.version>
@@ -137,6 +143,27 @@
             <scope>provided</scope>
         </dependency>
 
+        <dependency>
+            <groupId>io.gravitee.secret</groupId>
+            <artifactId>gravitee-secret-api</artifactId>
+            <version>${gravitee-secret-api.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>io.gravitee.plugin</groupId>
+            <artifactId>gravitee-plugin-annotation-processors</artifactId>
+            <version>${gravitee-plugin.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.hibernate.validator</groupId>
+            <artifactId>hibernate-validator</artifactId>
+            <version>${hibernate-validator.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
         <!-- Test scope -->
         <dependency>
             <groupId>io.gravitee.apim.gateway</groupId>
@@ -168,6 +195,30 @@
             <version>${gravitee-reactor-message.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.graviteesource.secretprovider</groupId>
+            <artifactId>gravitee-secret-provider-hc-vault</artifactId>
+            <version>${gravitee-secretprovider-hc-vault.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.graviteesource.service</groupId>
+            <artifactId>gravitee-service-secrets</artifactId>
+            <version>${gravitee-service-secrets.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>vault</artifactId>
+            <version>${testcontainers.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>junit-jupiter</artifactId>
+            <version>${testcontainers.version}</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
 
@@ -31,6 +31,7 @@
 import io.gravitee.gateway.reactor.ReactableApi;
 import io.gravitee.policy.aws.lambda.configuration.AwsLambdaError;
 import io.gravitee.policy.aws.lambda.configuration.AwsLambdaPolicyConfiguration;
+import io.gravitee.policy.aws.lambda.configuration.AwsLambdaPolicyConfigurationEvaluator;
 import io.gravitee.policy.aws.lambda.el.LambdaResponse;
 import io.gravitee.policy.aws.lambda.invokers.LambdaInvoker;
 import io.reactivex.rxjava3.core.Completable;
@@ -48,8 +49,11 @@
 @Slf4j
 public class AwsLambdaPolicy extends AwsLambdaPolicyV3 implements HttpPolicy {
 
+    private final AwsLambdaPolicyConfigurationEvaluator evaluator;
+
     public AwsLambdaPolicy(AwsLambdaPolicyConfiguration configuration) {
         super(configuration);
+        this.evaluator = new AwsLambdaPolicyConfigurationEvaluator(configuration);
     }
 
     @Override
@@ -98,23 +102,26 @@ public Completable onResponse(HttpPlainExecutionContext ctx) {
 
     private <T extends HttpBaseExecutionContext> Single<InvokeResponse> invokeAndHandleLambda(T ctx) {
         return Single
-            .fromFuture(invokeLambda(ctx.getTemplateEngine()))
+            .fromFuture(invokeLambda(this.evaluator.eval(ctx)))
             .subscribeOn(Schedulers.io())
             .flatMap(invokeResponse -> {
                 log.debug("AWS Lambda function has been invoked successfully");
+
                 String functionError = invokeResponse.functionError();
+
                 if (functionError != null && List.of("Handled", "Unhandled").contains(functionError)) {
                     return processError(ctx, null, AwsLambdaError.AWS_LAMBDA_INVALID_RESPONSE);
                 } else if (invokeResponse.statusCode() >= 200 && invokeResponse.statusCode() < 300) {
                     return processSuccess(ctx, invokeResponse);
                 }
+
                 return processError(ctx, null, AWS_LAMBDA_INVALID_STATUS_CODE);
             })
             .onErrorResumeNext(throwable -> processError(ctx, throwable, AwsLambdaError.AWS_LAMBDA_INVALID_RESPONSE));
     }
 
     private <T extends HttpBaseExecutionContext> Single<InvokeResponse> processError(T ctx, Throwable throwable, AwsLambdaError error) {
-        log.debug("An error occurs while invoking lambda function", throwable);
+        log.error("An error occurs while invoking lambda function", throwable);
 
         ExecutionFailure failure = new ExecutionFailure(error.getStatusCode())
             .key(error.name())
 
@@ -34,11 +34,11 @@
 import io.gravitee.policy.api.annotations.OnRequestContent;
 import io.gravitee.policy.api.annotations.OnResponse;
 import io.gravitee.policy.api.annotations.OnResponseContent;
-import io.gravitee.policy.aws.lambda.configuration.AwsLambdaError;
 import io.gravitee.policy.aws.lambda.configuration.AwsLambdaPolicyConfiguration;
 import io.gravitee.policy.aws.lambda.configuration.PolicyScope;
 import io.gravitee.policy.aws.lambda.el.LambdaResponse;
 import io.gravitee.policy.aws.lambda.invokers.LambdaInvokerV3;
+import io.reactivex.rxjava3.core.Single;
 import io.vertx.core.Context;
 import io.vertx.core.Vertx;
 import java.util.concurrent.CompletableFuture;
@@ -64,16 +64,17 @@
 @Slf4j
 public class AwsLambdaPolicyV3 {
 
+    private LambdaAsyncClient lambdaClient;
+
     protected final AwsLambdaPolicyConfiguration configuration;
+
     protected static final String TEMPLATE_VARIABLE = "lambdaResponse";
-    private final LambdaAsyncClient lambdaClient;
     private static final String LAMBDA_RESULT_ATTR = "LAMBDA_RESULT";
     private static final String REQUEST_TEMPLATE_VARIABLE = "request";
     private static final String RESPONSE_TEMPLATE_VARIABLE = "response";
 
     public AwsLambdaPolicyV3(AwsLambdaPolicyConfiguration configuration) {
         this.configuration = configuration;
-        lambdaClient = initLambdaClient();
     }
 
     @OnRequest
@@ -223,63 +224,69 @@ public void end() {
         };
     }
 
-    protected CompletableFuture<InvokeResponse> invokeLambda(TemplateEngine templateEngine) {
-        return CompletableFuture
-            .supplyAsync(() -> {
-                InvokeRequest.Builder awsRequest = InvokeRequest
-                    .builder()
-                    .functionName(configuration.getFunction())
-                    .invocationType(configuration.getInvocationType())
-                    .qualifier(configuration.getQualifier())
-                    .logType(configuration.getLogType());
-
-                if (configuration.getPayload() != null && !configuration.getPayload().isEmpty()) {
-                    String payload = templateEngine.evalNow(configuration.getPayload(), String.class);
-                    awsRequest.payload(SdkBytes.fromUtf8String(payload));
-                }
+    protected CompletableFuture<InvokeResponse> invokeLambda(Single<AwsLambdaPolicyConfiguration> configuration) {
+        return configuration
+            .flatMap(config -> {
+                lambdaClient = initLambdaClient(config);
+                InvokeRequest.Builder awsRequest = buildRequest(config);
 
-                return awsRequest;
+                return Single.fromFuture(lambdaClient.invoke(awsRequest.build()));
             })
-            .thenCompose(awsRequest -> {
-                // invoke the lambda function and inspect the result...
-                return lambdaClient.invoke(awsRequest.build());
-            });
+            .toCompletionStage()
+            .toCompletableFuture();
+    }
+
+    private static InvokeRequest.Builder buildRequest(AwsLambdaPolicyConfiguration config) {
+        InvokeRequest.Builder awsRequest = InvokeRequest
+            .builder()
+            .functionName(config.getFunction())
+            .invocationType(config.getInvocationType())
+            .qualifier(config.getQualifier())
+            .logType(config.getLogType());
+
+        if (config.getPayload() != null && !config.getPayload().isEmpty()) {
+            awsRequest.payload(SdkBytes.fromUtf8String(config.getPayload()));
+        }
+
+        return awsRequest;
     }
 
-    protected LambdaAsyncClient initLambdaClient() {
+    protected LambdaAsyncClient initLambdaClient(AwsLambdaPolicyConfiguration config) {
         AwsCredentialsProvider awsCredentialsProvider;
+        String accessKey = config.getAccessKey();
+        String secretKey = config.getSecretKey();
+        String roleArn = config.getRoleArn();
 
-        if (configuration.getRoleArn() != null && !configuration.getRoleArn().isEmpty()) {
-            awsCredentialsProvider = createSTSCredentialsProvider();
+        if (roleArn != null && !roleArn.isEmpty()) {
+            awsCredentialsProvider = createSTSCredentialsProvider(accessKey, secretKey, roleArn);
         } else {
-            awsCredentialsProvider = getAWSCredentialsProvider();
+            awsCredentialsProvider = getAWSCredentialsProvider(accessKey, secretKey);
         }
 
-        return LambdaAsyncClient.builder().credentialsProvider(awsCredentialsProvider).region(Region.of(configuration.getRegion())).build();
+        String region = config.getRegion();
+
+        return LambdaAsyncClient.builder().credentialsProvider(awsCredentialsProvider).region(Region.of(region)).build();
     }
 
-    private StsAssumeRoleCredentialsProvider createSTSCredentialsProvider() {
+    private StsAssumeRoleCredentialsProvider createSTSCredentialsProvider(String accessKey, String secretKey, String roleArn) {
         return StsAssumeRoleCredentialsProvider
             .builder()
-            .refreshRequest(() ->
-                AssumeRoleRequest.builder().roleArn(configuration.getRoleArn()).roleSessionName(configuration.getRoleSessionName()).build()
-            )
+            .refreshRequest(() -> AssumeRoleRequest.builder().roleArn(roleArn).roleSessionName(configuration.getRoleSessionName()).build())
             .stsClient(
-                StsClient.builder().credentialsProvider(getAWSCredentialsProvider()).region(Region.of(configuration.getRegion())).build()
+                StsClient
+                    .builder()
+                    .credentialsProvider(getAWSCredentialsProvider(accessKey, secretKey))
+                    .region(Region.of(configuration.getRegion()))
+                    .build()
             )
             .build();
     }
 
-    private AwsCredentialsProvider getAWSCredentialsProvider() {
+    private AwsCredentialsProvider getAWSCredentialsProvider(String accessKey, String secretKey) {
         AwsBasicCredentials credentials = null;
 
-        if (
-            configuration.getAccessKey() != null &&
-            !configuration.getAccessKey().isEmpty() &&
-            configuration.getSecretKey() != null &&
-            !configuration.getSecretKey().isEmpty()
-        ) {
-            credentials = AwsBasicCredentials.create(configuration.getAccessKey(), configuration.getSecretKey());
+        if (accessKey != null && !accessKey.isEmpty() && secretKey != null && !secretKey.isEmpty()) {
+            credentials = AwsBasicCredentials.create(accessKey, secretKey);
         }
 
         if (credentials != null) {
@@ -291,7 +298,7 @@ private AwsCredentialsProvider getAWSCredentialsProvider() {
     }
 
     private void invokeLambda(ExecutionContext context, Consumer<InvokeResponse> onSuccess, Consumer<PolicyResult> onError) {
-        invokeLambda(context.getTemplateEngine())
+        invokeLambda(Single.just(configuration))
             .whenCompleteAsync((InvokeResponse result, Throwable throwable) -> {
                 // Lambda will return an HTTP status code will be in the 200 range for successful
                 // request, even if an error occurred in the Lambda function itself. Here, we check
 
@@ -15,7 +15,10 @@
  */
 package io.gravitee.policy.aws.lambda.configuration;
 
+import io.gravitee.plugin.annotation.ConfigurationEvaluator;
 import io.gravitee.policy.api.PolicyConfiguration;
+import io.gravitee.secrets.api.annotation.Secret;
+import io.gravitee.secrets.api.el.FieldKind;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.Getter;
@@ -29,13 +32,18 @@
  */
 @Getter
 @Setter
+@ConfigurationEvaluator(attributePrefix = "gravitee.attributes.secret.aws")
 public class AwsLambdaPolicyConfiguration implements PolicyConfiguration {
 
     private PolicyScope scope = PolicyScope.REQUEST;
 
     private String region = "us-east-1";
 
-    private String accessKey, secretKey;
+    @Secret(FieldKind.GENERIC)
+    private String accessKey;
+
+    @Secret(FieldKind.GENERIC)
+    private String secretKey;
 
     private String function;
 
@@ -45,6 +53,7 @@ public class AwsLambdaPolicyConfiguration implements PolicyConfiguration {
 
     private String qualifier;
 
+    @Secret(FieldKind.GENERIC)
     private String roleArn;
 
     private String roleSessionName = "gravitee";