Sync

[stevehu]

No description provided.

[Copilot]

Pull request overview

This PR updates the lambda-invoker STS configuration from a boolean flag (stsEnabled) to a typed selector (stsType) and adds support for STS AssumeRole with Web Identity, along with related config/schema/test updates.

Changes:

• Replace stsEnabled with stsType across config model, config files, and generated schema.
• Add StsWebIdentity support in LambdaFunctionHandler (Authorization token-based STS exchange) and add a StsFuncUser test config.
• Add metrics-config dependency to the parent and lambda-invoker module POMs.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
pom.xml	Adds metrics-config to dependency management so modules can consume it consistently.
lambda-invoker/pom.xml	Adds metrics-config dependency for the lambda-invoker module.
lambda-invoker/src/main/java/com/networknt/aws/lambda/LambdaInvokerConfig.java	Replaces stsEnabled with stsType and updates validation/error text accordingly.
lambda-invoker/src/main/java/com/networknt/aws/lambda/LambdaFunctionHandler.java	Implements STS client/provider selection based on stsType and adds Web Identity token handling.
lambda-invoker/src/main/resources/config/lambda-invoker.yml	Updates config documentation and key name from stsEnabled to stsType.
lambda-invoker/src/main/resources/config/lambda-invoker.yaml	Same as above, for the .yaml variant.
lambda-invoker/src/main/resources/config/lambda-invoker-schema.json	Updates schema properties/required list to replace stsEnabled with stsType.
lambda-invoker/src/test/java/com/networknt/aws/lambda/LambdaInvokerConfigTest.java	Updates tests to reflect stsType and adds a new sts type scenario.
lambda-invoker/src/test/resources/config/lambda-invoker-sts-with-role.yml	Updates test config to use stsType: StsWebIdentity.
lambda-invoker/src/test/resources/config/lambda-invoker-sts-no-role.yml	Updates test config to use stsType: StsWebIdentity with missing roleArn.
lambda-invoker/src/test/resources/config/lambda-invoker-sts-func.yml	Adds new test config for stsType: StsFuncUser.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• central.sonatype.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.14/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.14/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.14 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.14/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/light-aws-lambda/light-aws-lambda org.codehaus.plexus.classworlds.launcher.Launcher -pl lambda-invoker -am clean test -q (dns block)
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.14/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.14/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.14 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.14/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/light-aws-lambda/light-aws-lambda org.codehaus.plexus.classworlds.launcher.Launcher -f pom.xml -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• central.sonatype.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.14/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.14/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.14 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.14/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/light-aws-lambda/light-aws-lambda org.codehaus.plexus.classworlds.launcher.Launcher -f pom.xml -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

lambda-invoker/src/main/java/com/networknt/aws/lambda/LambdaFunctionHandler.java:191

• When config is reloaded, tokenCache is not cleared. If the handler previously cached a token and then reloads/recreates stsWebIdentityCredentialsProvider (which is initially built without a webIdentityToken), the first request after reload with the same token will hit the cache fast-path and skip rebuilding the provider with the token, leaving the provider with a token-less refresh request. Clearing tokenCache during the reload/close block would prevent this.

                    if(stsWebIdentityCredentialsProvider != null) {
                        try {
                            stsWebIdentityCredentialsProvider.close();
                        } catch (Exception e) {
                            logger.error("Failed to close the StsAssumeRoleWithWebIdentityCredentialsProvider", e);
                        }
                        stsWebIdentityCredentialsProvider = null;
                    }
                    if(stsClient != null) {
                        try {
                            stsClient.close();
                        } catch (Exception e) {
                            logger.error("Failed to close the StsClient", e);
                        }
                        stsClient = null;
                    }
                    client = initClient(config);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• central.sonatype.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.14/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.14/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.14 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.14/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/light-aws-lambda/light-aws-lambda org.codehaus.plexus.classworlds.launcher.Launcher -pl lambda-invoker test -q (dns block)
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.14/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.14/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.14 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.14/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/light-aws-lambda/light-aws-lambda org.codehaus.plexus.classworlds.launcher.Launcher -f pom.xml -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[stevehu]

For StsWebIdentity, the handler no longer mutates shared client or credentials-provider state on request threads. It now validates the bearer token, returns 401 immediately when the header is missing or invalid, and builds a request-scoped
STS web-identity provider and Lambda client for that invocation only. That removes the concurrency hazard Copilot called out. I also added focused tests that verify bearer-token handling and that the web-identity path creates distinct
request-scoped clients.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[stevehu]

I removed the request-scoped client recreation. StsWebIdentity now uses one shared LambdaAsyncClient again, backed by a stable mutable credentials provider that swaps its underlying StsAssumeRoleWithWebIdentityCredentialsProvider under
synchronization when the bearer token changes. That keeps the client and connection pool reusable, avoids raw-token caching, and keeps the token refresh path thread-safe. I also lowered missing/invalid bearer-token logging from WARN to DEBUG,
kept the fail-fast 401, and replaced the old raw token cache with a SHA-256 fingerprint used only for change detection.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[stevehu]

@DiogoFKT @KalevGonvick , I have made some changes along with some Copilot updates. Please review and approve. Thanks.