Extract resource arn and remote resource access key for cross-account support (#224)

Author: blairhyy-amazon

src/AWS.Distro.OpenTelemetry.AutoInstrumentation/AwsAttributeKeys.cs

@@ -20,6 +20,13 @@ internal sealed class AwsAttributeKeys
     internal static readonly string AttributeAWSSdkDescendant = "aws.sdk.descendant";
     internal static readonly string AttributeAWSConsumerParentSpanKind = "aws.consumer.parent.span.kind";
 
+    // Cross-account support
+    internal static readonly string AttributeAWSAuthAccessKey = "aws.auth.account.access_key";
+    internal static readonly string AttributeAWSAuthRegion = "aws.auth.region";
+    internal static readonly string AttributeAWSRemoteResourceAccessKey = "aws.remote.resource.account.access_key";
+    internal static readonly string AttributeAWSRemoteResourceAccountId = "aws.remote.resource.account.id";
+    internal static readonly string AttributeAWSRemoteResourceRegion = "aws.remote.resource.region";
+
     // This was copied over from AWSSemanticConventions from the here:
     // https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/main/src/OpenTelemetry.Instrumentation.AWS/Implementation/AWSSemanticConventions.cs
     // TODO: add any other attributes keys after auto instrumentation.
@@ -39,6 +46,7 @@ internal sealed class AwsAttributeKeys
 
     // internal static readonly string AttributeAWSSQSQueueUrl = "aws.sqs.queue_url";
     internal static readonly string AttributeAWSSQSQueueName = "aws.sqs.queue_name";
+    internal static readonly string AttributeAWSKinesisStreamArn = "aws.kinesis.stream.arn";
     internal static readonly string AttributeAWSKinesisStreamName = "aws.kinesis.stream_name";
 
     // This attribute is being used here:
@@ -47,6 +55,7 @@ internal sealed class AwsAttributeKeys
     // public const string AttributeAwsDynamodbTableNames = "aws.dynamodb.table_names"
     // Going to use the below one because of the manual instrumentation.
     // TODO: update/remove attribute according to auto instrumentation.
+    internal static readonly string AttributeAWSDynamoTableArn = "aws.dynamodb.table.arn";
     internal static readonly string AttributeAWSDynamoTableName = "aws.table_name";
     internal static readonly string AttributeAWSSQSQueueUrl = "aws.queue_url";
 

src/AWS.Distro.OpenTelemetry.AutoInstrumentation/AwsMetricAttributeGenerator.cs

@@ -9,6 +9,7 @@
 using OpenTelemetry.Trace;
 using static AWS.Distro.OpenTelemetry.AutoInstrumentation.AwsAttributeKeys;
 using static AWS.Distro.OpenTelemetry.AutoInstrumentation.AwsSpanProcessingUtil;
+using static AWS.Distro.OpenTelemetry.AutoInstrumentation.RegionalResourceArnParser;
 using static AWS.Distro.OpenTelemetry.AutoInstrumentation.SqsUrlParser;
 using static OpenTelemetry.Trace.TraceSemanticConventions;
 
@@ -94,7 +95,16 @@ private ActivityTagsCollection GenerateDependencyMetricAttributes(Activity span,
         SetEgressOperation(span, attributes);
         SetRemoteEnvironment(span, attributes);
         SetRemoteServiceAndOperation(span, attributes);
-        SetRemoteResourceTypeAndIdentifier(span, attributes);
+        bool isRemoteResourceIdentifierPresent = SetRemoteResourceTypeAndIdentifier(span, attributes);
+        if (isRemoteResourceIdentifierPresent)
+        {
+            bool isAccountIdAndRegionPresent = SetRemoteResourceAccountIdAndRegion(span, attributes);
+            if (!isAccountIdAndRegionPresent)
+            {
+                SetRemoteResourceAccessKeyAndRegion(span, attributes);
+            }
+        }
+
         SetSpanKindForDependency(span, attributes);
         SetRemoteDbUser(span, attributes);
 
@@ -413,8 +423,9 @@ private static string NormalizeRemoteServiceName(Activity span, string serviceNa
 
     // This function is used to check for AWS specific attributes and set the RemoteResourceType
     // and RemoteResourceIdentifier accordingly. Right now, this sets it for DDB, S3, Kinesis,
-    // and SQS (using QueueName or QueueURL)
-    private static void SetRemoteResourceTypeAndIdentifier(Activity span, ActivityTagsCollection attributes)
+    // and SQS (using QueueName or QueueURL). Returns true if remote resource type and identifier
+    // are successfully set, false otherwise.
+    private static bool SetRemoteResourceTypeAndIdentifier(Activity span, ActivityTagsCollection attributes)
     {
         string? remoteResourceType = null;
         string? remoteResourceIdentifier = null;
@@ -426,11 +437,21 @@ private static void SetRemoteResourceTypeAndIdentifier(Activity span, ActivityTa
                 remoteResourceType = NormalizedDynamoDBServiceName + "::Table";
                 remoteResourceIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSDynamoTableName));
             }
+            else if (IsKeyPresent(span, AttributeAWSDynamoTableArn))
+            {
+                remoteResourceType = NormalizedDynamoDBServiceName + "::Table";
+                remoteResourceIdentifier = EscapeDelimiters(RegionalResourceArnParser.ExtractDynamoDbTableNameFromArn((string?)span.GetTagItem(AttributeAWSDynamoTableArn)));
+            }
             else if (IsKeyPresent(span, AttributeAWSKinesisStreamName))
             {
                 remoteResourceType = NormalizedKinesisServiceName + "::Stream";
                 remoteResourceIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSKinesisStreamName));
             }
+            else if (IsKeyPresent(span, AttributeAWSKinesisStreamArn))
+            {
+                remoteResourceType = NormalizedKinesisServiceName + "::Stream";
+                remoteResourceIdentifier = EscapeDelimiters(RegionalResourceArnParser.ExtractKinesisStreamNameFromArn((string?)span.GetTagItem(AttributeAWSKinesisStreamArn)));
+            }
             else if (IsKeyPresent(span, AttributeAWSLambdaFunctionName))
             {
                 // For non-invoke Lambda operations, treat Lambda as a resource.
@@ -455,13 +476,13 @@ private static void SetRemoteResourceTypeAndIdentifier(Activity span, ActivityTa
             else if (IsKeyPresent(span, AttributeAWSSecretsManagerSecretArn))
             {
                 remoteResourceType = NormalizedSecretsManagerServiceName + "::Secret";
-                remoteResourceIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSSecretsManagerSecretArn))?.Split(':').Last();
+                remoteResourceIdentifier = EscapeDelimiters(RegionalResourceArnParser.ExtractResourceNameFromArn((string?)span.GetTagItem(AttributeAWSSecretsManagerSecretArn)));
                 cloudformationPrimaryIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSSecretsManagerSecretArn));
             }
             else if (IsKeyPresent(span, AttributeAWSSNSTopicArn))
             {
                 remoteResourceType = NormalizedSNSServiceName + "::Topic";
-                remoteResourceIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSSNSTopicArn))?.Split(':').Last();
+                remoteResourceIdentifier = EscapeDelimiters(RegionalResourceArnParser.ExtractResourceNameFromArn((string?)span.GetTagItem(AttributeAWSSNSTopicArn)));
                 cloudformationPrimaryIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSSNSTopicArn));
             }
             else if (IsKeyPresent(span, AttributeAWSSQSQueueName))
@@ -479,13 +500,16 @@ private static void SetRemoteResourceTypeAndIdentifier(Activity span, ActivityTa
             else if (IsKeyPresent(span, AttributeAWSStepFunctionsActivityArn))
             {
                 remoteResourceType = NormalizedStepFunctionsName + "::Activity";
-                remoteResourceIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSStepFunctionsActivityArn))?.Split(':').Last();
+                remoteResourceIdentifier =
+                    EscapeDelimiters(
+                        RegionalResourceArnParser.ExtractResourceNameFromArn(
+                            (string?)span.GetTagItem(AttributeAWSStepFunctionsActivityArn)));
                 cloudformationPrimaryIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSStepFunctionsActivityArn));
             }
             else if (IsKeyPresent(span, AttributeAWSStepFunctionsStateMachineArn))
             {
                 remoteResourceType = NormalizedStepFunctionsName + "::StateMachine";
-                remoteResourceIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSStepFunctionsStateMachineArn))?.Split(':').Last();
+                remoteResourceIdentifier = EscapeDelimiters(RegionalResourceArnParser.ExtractResourceNameFromArn((string?)span.GetTagItem(AttributeAWSStepFunctionsStateMachineArn)));
                 cloudformationPrimaryIdentifier = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSStepFunctionsStateMachineArn));
             }
             else if (IsKeyPresent(span, AttributeAWSBedrockGuardrailId))
@@ -535,6 +559,73 @@ private static void SetRemoteResourceTypeAndIdentifier(Activity span, ActivityTa
             attributes.Add(AttributeAWSRemoteResourceType, remoteResourceType);
             attributes.Add(AttributeAWSRemoteResourceIdentifier, remoteResourceIdentifier);
             attributes.Add(AttributeAWSCloudformationPrimaryIdentifier, cloudformationPrimaryIdentifier);
+            return true;
+        }
+
+        return false;
+    }
+
+    // Extracts and sets the remote resource account ID and region from either an SQS queue URL or various AWS ARN attributes.
+    private static bool SetRemoteResourceAccountIdAndRegion(Activity span, ActivityTagsCollection attributes)
+    {
+        string[] arnAttributes = new[]
+        {
+            AttributeAWSDynamoTableArn,
+            AttributeAWSKinesisStreamArn,
+            AttributeAWSSNSTopicArn,
+            AttributeAWSSecretsManagerSecretArn,
+            AttributeAWSStepFunctionsActivityArn,
+            AttributeAWSStepFunctionsStateMachineArn,
+            AttributeAWSBedrockGuardrailArn,
+            AttributeAWSLambdaFunctionArn,
+        };
+
+        string? remoteResourceAccountId = null;
+        string? remoteResourceRegion = null;
+
+        if (IsKeyPresent(span, AttributeAWSSQSQueueUrl))
+        {
+            string? url = EscapeDelimiters((string?)span.GetTagItem(AttributeAWSSQSQueueUrl));
+            remoteResourceAccountId = SqsUrlParser.GetAccountId(url);
+            remoteResourceRegion = SqsUrlParser.GetRegion(url);
+        }
+        else
+        {
+            foreach (var attributeKey in arnAttributes)
+            {
+                if (IsKeyPresent(span, attributeKey))
+                {
+                    string? arn = (string?)span.GetTagItem(attributeKey);
+                    remoteResourceAccountId = RegionalResourceArnParser.GetAccountId(arn);
+                    remoteResourceRegion = RegionalResourceArnParser.GetRegion(arn);
+                    break;
+                }
+            }
+        }
+
+        if (remoteResourceAccountId != null && remoteResourceRegion != null)
+        {
+            attributes.Add(AttributeAWSRemoteResourceAccountId, remoteResourceAccountId);
+            attributes.Add(AttributeAWSRemoteResourceRegion, remoteResourceRegion);
+            return true;
+        }
+
+        return false;
+    }
+
+    // Extracts and sets the remote resource account access key id and region from STS credentials.
+    private static void SetRemoteResourceAccessKeyAndRegion(Activity span, ActivityTagsCollection attributes)
+    {
+        if (IsKeyPresent(span, AttributeAWSAuthAccessKey))
+        {
+            string? remoteResourceAccessKey = (string?)span.GetTagItem(AttributeAWSAuthAccessKey);
+            attributes.Add(AttributeAWSRemoteResourceAccessKey, remoteResourceAccessKey);
+        }
+
+        if (IsKeyPresent(span, AttributeAWSAuthRegion))
+        {
+            string? remoteResourceRegion = (string?)span.GetTagItem(AttributeAWSAuthRegion);
+            attributes.Add(AttributeAWSRemoteResourceRegion, remoteResourceRegion);
         }
     }
 

src/AWS.Distro.OpenTelemetry.AutoInstrumentation/RegionalResourceArnParser.cs

@@ -0,0 +1,41 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+namespace AWS.Distro.OpenTelemetry.AutoInstrumentation;
+
+public class RegionalResourceArnParser
+{
+    public static string? GetAccountId(string? arn) => ParseArn(arn)?[4];
+
+    public static string? GetRegion(string? arn) => ParseArn(arn)?[3];
+
+    public static string? ExtractKinesisStreamNameFromArn(string? arn) =>
+        ExtractResourceNameFromArn(arn)?.Replace("stream/", string.Empty);
+
+    public static string? ExtractDynamoDbTableNameFromArn(string? arn) =>
+        ExtractResourceNameFromArn(arn)?.Replace("table/", string.Empty);
+
+    public static string? ExtractResourceNameFromArn(string? arn) =>
+        ParseArn(arn) is var parts && parts != null ? parts[parts.Length - 1] : null;
+
+    /// <summary>
+    /// Parses ARN with formats:
+    /// arn:partition:service:region:account-id:resource-type/resource-id or
+    /// arn:partition:service:region:account-id:resource-type:resource-id
+    /// </summary>
+    private static string[] ? ParseArn(string? arn)
+    {
+        if (arn == null || !arn.StartsWith("arn:"))
+        {
+            return null;
+        }
+
+        var parts = arn.Split(':');
+        return parts.Length >= 6 && IsAccountId(parts[4]) ? parts : null;
+    }
+
+    private static bool IsAccountId(string input)
+    {
+        return long.TryParse(input, out _);
+    }
+}

src/AWS.Distro.OpenTelemetry.AutoInstrumentation/SqlUrlParser.cs

@@ -1,8 +1,6 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-using System.Text;
-
 namespace AWS.Distro.OpenTelemetry.AutoInstrumentation;
 
 /// <summary>
@@ -17,8 +15,11 @@ public class SqsUrlParser
     /// Best-effort logic to extract queue name from an HTTP url. This method should only be used with
     /// a string that is, with reasonably high confidence, an SQS queue URL. Handles new/legacy/some
     /// custom URLs. Essentially, we require that the URL should have exactly three parts, delimited by
-    /// /'s (excluding schema), the second part should be a 12-digit account id, and the third part
+    /// /'s (excluding schema), the second part should be an account id consisting of digits, and the third part
     /// should be a valid queue name, per SQS naming conventions.
+    ///
+    /// Unlike ParseUrl which only handles new URLs and their queuename parsing, this
+    /// implements its own queue name parsing logic to support multiple URL formats.
     /// </summary>
     /// <param name="url"><see cref="string"/>Url to get the remote target from</param>
     /// <returns>parsed remote target</returns>
@@ -29,8 +30,8 @@ public class SqsUrlParser
             return null;
         }
 
-        url = url.Replace(HttpSchema, string.Empty).Replace(HttpsSchema, string.Empty);
-        string[] splitUrl = url.Split('/');
+        string urlWithoutProtocol = url.Replace(HttpSchema, string.Empty).Replace(HttpsSchema, string.Empty);
+        string[] splitUrl = urlWithoutProtocol.Split('/');
         if (splitUrl.Length == 3 && IsAccountId(splitUrl[1]) && IsValidQueueName(splitUrl[2]))
         {
             return splitUrl[2];
@@ -39,23 +40,46 @@ public class SqsUrlParser
         return null;
     }
 
-    private static bool IsAccountId(string input)
+    public static string? GetAccountId(string? url) => ParseUrl(url).accountId;
+
+    public static string? GetRegion(string? url) => ParseUrl(url).region;
+
+    /// <summary>
+    /// Parses new SQS URLs https://sqs.region.amazonaws.com/accountI/queueName;
+    /// </summary>
+    /// <param name="url">SQS URL to parse</param>
+    /// <returns>Tuple containing queue name, account ID, and region</returns>
+    public static (string? QueueName, string? accountId, string? region) ParseUrl(string? url)
     {
-        if (input == null || input.Length != 12)
+        if (url == null)
         {
-            return false;
+            return (null, null, null);
         }
 
-        try
-        {
-            long.Parse(input);
-        }
-        catch (Exception)
+        string urlWithoutProtocol = url.Replace(HttpSchema, string.Empty).Replace(HttpsSchema, string.Empty);
+        string[] splitUrl = urlWithoutProtocol.Split('/');
+
+        if (
+            splitUrl.Length != 3 ||
+            !splitUrl[0].StartsWith("sqs", StringComparison.OrdinalIgnoreCase) ||
+            !IsAccountId(splitUrl[1]) ||
+            !IsValidQueueName(splitUrl[2]))
         {
-            return false;
+            return (null, null, null);
         }
 
-        return true;
+        string domain = splitUrl[0];
+        string[] domainParts = domain.Split('.');
+
+        return (
+            splitUrl[2],
+            splitUrl[1],
+            domainParts.Length == 4 ? domainParts[1] : null);
+    }
+
+    private static bool IsAccountId(string input)
+    {
+        return long.TryParse(input, out _);
     }
 
     private static bool IsValidQueueName(string input)

src/OpenTelemetry.Instrumentation.AWS/Implementation/AWSSemanticConventions.cs

@@ -9,11 +9,15 @@ internal static class AWSSemanticConventions
     public const string AttributeAWSOperationName = "aws.operation";
     public const string AttributeAWSRegion = "aws.region";
     public const string AttributeAWSRequestId = "aws.requestId";
+    public const string AttributeAWSAuthAccessKey = "aws.auth.account.access_key";
+    public const string AttributeAWSAuthRegion = "aws.auth.region";
 
+    public const string AttributeAWSDynamoTableArn = "aws.dynamodb.table.arn";
     public const string AttributeAWSDynamoTableName = "aws.table_name";
     public const string AttributeAWSSQSQueueUrl = "aws.queue_url";
     public const string AttributeAWSSQSQueueName = "aws.sqs.queue_name";
     public const string AttributeAWSS3BucketName = "aws.s3.bucket";
+    public const string AttributeAWSKinesisStreamArn = "aws.kinesis.stream.arn";
     public const string AttributeAWSKinesisStreamName = "aws.kinesis.stream_name";
     public const string AttributeAWSLambdaFunctionArn = "aws.lambda.function.arn";
     public const string AttributeAWSLambdaFunctionName = "aws.lambda.function.name";

src/OpenTelemetry.Instrumentation.AWS/Implementation/AWSServiceHelper.cs

@@ -12,7 +12,7 @@ internal class AWSServiceHelper
         { AWSServiceType.DynamoDbService, new List<string> { "TableName" } },
         { AWSServiceType.SQSService, new List<string> { "QueueUrl", "QueueName" } },
         { AWSServiceType.S3Service, new List<string> { "BucketName" } },
-        { AWSServiceType.KinesisService, new List<string> { "StreamName" } },
+        { AWSServiceType.KinesisService, new List<string> { "StreamName", "StreamARN" } },
         { AWSServiceType.LambdaService, new List<string> { "UUID", "FunctionName" } },
         { AWSServiceType.SecretsManagerService, new List<string> { "SecretId" } },
         { AWSServiceType.SNSService, new List<string> { "TopicArn" } },
@@ -32,11 +32,13 @@ internal class AWSServiceHelper
 
     internal static IReadOnlyDictionary<string, string> ParameterAttributeMap = new Dictionary<string, string>()
     {
+        { "TableArn", AWSSemanticConventions.AttributeAWSDynamoTableArn },
         { "TableName", AWSSemanticConventions.AttributeAWSDynamoTableName },
         { "QueueUrl", AWSSemanticConventions.AttributeAWSSQSQueueUrl },
         { "QueueName", AWSSemanticConventions.AttributeAWSSQSQueueName },
         { "BucketName", AWSSemanticConventions.AttributeAWSS3BucketName },
         { "StreamName", AWSSemanticConventions.AttributeAWSKinesisStreamName },
+        { "StreamARN", AWSSemanticConventions.AttributeAWSKinesisStreamArn },
         { "TopicArn", AWSSemanticConventions.AttributeAWSSNSTopicArn },
         { "ARN", AWSSemanticConventions.AttributeAWSSecretsManagerSecretArn },
         { "SecretId", AWSSemanticConventions.AttributeAWSSecretsManagerSecretArn },