Add test for Sdk instrumentation patch

blairhyy-amazon · blairhyy-amazon · commit 63da3361fa1c · 2025-07-28T17:07:50.000-07:00
diff --git a/aws-distro-opentelemetry-node-autoinstrumentation/package.json b/aws-distro-opentelemetry-node-autoinstrumentation/package.json
@@ -78,6 +78,7 @@
     "@aws-sdk/client-s3": "3.632.0",
     "@aws-sdk/client-secrets-manager": "3.632.0",
     "@aws-sdk/client-sfn": "3.632.0",
+    "@aws-sdk/client-sts": "3.632.0",
     "@aws-sdk/client-sns": "3.632.0",
     "@opentelemetry/contrib-test-utils": "^0.45.0",
     "@smithy/protocol-http": "^5.0.1",
diff --git a/aws-distro-opentelemetry-node-autoinstrumentation/test/patches/instrumentation-patch.test.ts b/aws-distro-opentelemetry-node-autoinstrumentation/test/patches/instrumentation-patch.test.ts
@@ -37,6 +37,7 @@ import * as nock from 'nock';
 import { ReadableSpan, Span as SDKSpan } from '@opentelemetry/sdk-trace-base';
 import { getTestSpans } from '@opentelemetry/contrib-test-utils';
 import { instrumentationConfigs } from '../../src/register';
+import { STS } from '@aws-sdk/client-sts';
 
 // It is assumed that bedrock.test.ts has already registered the
 // necessary instrumentations for testing by calling:
@@ -692,6 +693,47 @@ describe('InstrumentationPatchTest', () => {
       });
     });
 
+    it('prevents recursion when credentials provider makes STS calls', async () => {
+      let credentialsCallCount = 0;
+
+      // Create separate STS client for credential fetching
+      const credentialsStsClient = new STS({ region: 'us-east-1' });
+
+      // Create main client with credentials provider that calls STS
+      const mainClient = new Lambda({
+        region: 'us-east-1',
+        credentials: async () => {
+          credentialsCallCount++;
+          // Simulate STS call for credentials (this should be skipped on recursion)
+          await credentialsStsClient.getCallerIdentity({}).catch(() => {});
+          return { accessKeyId: 'sts-access-key', secretAccessKey: 'secret' };
+        },
+      });
+
+      // Mock HTTP responses
+      nock('https://sts.us-east-1.amazonaws.com')
+        .post('/')
+        .reply(200, '<GetCallerIdentityResponse></GetCallerIdentityResponse>');
+
+      nock('https://lambda.us-east-1.amazonaws.com').post('/2015-03-31/functions/test/invocations').reply(200, 'null');
+
+      // Make Lambda call - this triggers credential extraction which calls STS
+      await mainClient.invoke({ FunctionName: 'test' }).catch((err: any) => {});
+
+      const testSpans = getTestSpans();
+      const lambdaSpans = testSpans.filter(s => s.name.includes('test Invoke'));
+
+      // Verify recursion was prevented - only one credentials call
+      expect(credentialsCallCount).toBe(1);
+      expect(lambdaSpans.length).toBe(1);
+
+      // Verify span has the extracted credentials attribute
+      const spanWithCredentials = lambdaSpans.find(
+        span => span.attributes[AWS_ATTRIBUTE_KEYS.AWS_AUTH_ACCOUNT_ACCESS_KEY] === 'sts-access-key'
+      );
+      expect(spanWithCredentials).toBeDefined();
+    });
+
     it('injects trace context header into request via propagator', async () => {
       lambda = new Lambda({
         region: region,
