I could have sworn I saw somewhere that AWS IAM supported using mTLS or something now

nice, I guess I just need to make sure I can forward path, headers and stuff to Lambda via aws4fetch and making sure there's no significant overhead using that over API Gateway. But I'm guessing that's all fine

I'm passing return headers already

example

the via and most of those headers are added by me in my Lambda, not by Amazon or CF.

I meant providing the exact same request to lambda. So forwarding request headers, path, qs, etc

but I can’t see that being an issue

pretty sure it's exact, I use FastAPI and it was the same URLs and everything local vs Lambda

awesome

I recommend at least adding the

via

header if you're gonna use multiple lambda function URLs

so you can track down which endpoint is being buggy (or if all of them are) if you have issues in the future

semi-related, is there any way aside from IAM access tokens and API gateway's mTLS, for a CF Worker to auth with AWS?

not sure, we were originally going to slap an api-token in the header and have API gateway verify it but decided on mTLS since it's more secure

AWS Signature Version 4 should be reasonable secure.

The only benefit I see to mTLS, is a compromised Worker would not be able to extract the key.

why not?

it's bound as an env var I think

all you get is a object with a fetch method

ah I see

If your CF account gets popped, you’re probably already having a very bad day.

if they have write access then any secrets are moot anyways

if it's just read, they can't view your secrets

mTLS private keys can’t be downloaded though, right?

nothing in wrangler to download them - so I assume not

only upload/list/delete

you can also bind cryptokeys to a worker which is pretty cool

but that's an unstable api

Oh right

for service bindings, shouldn't

yarn dev

just work?