Skip credential extraction if the context is not injectable

blairhyy-amazon · blairhyy-amazon · commit 9e036ee3086d · 2025-07-29T13:05:52.000-07:00
diff --git a/aws-distro-opentelemetry-node-autoinstrumentation/src/patches/instrumentation-patch.ts b/aws-distro-opentelemetry-node-autoinstrumentation/src/patches/instrumentation-patch.ts
@@ -470,25 +470,28 @@ function patchAwsSdkInstrumentation(instrumentation: Instrumentation): void {
                 // suppressTracing prevents span generation for internal credential extraction calls
                 // which are implementation details and not relevant to the application's telemetry
                 const suppressedContext = suppressTracing(activeContext).setValue(SKIP_CREDENTIAL_CAPTURE_KEY, true);
-                await otelContext.with(suppressedContext, async () => {
-                  try {
-                    const credsProvider = this.config.credentials;
-                    if (credsProvider instanceof Function) {
-                      const credentials = await credsProvider();
-                      if (credentials?.accessKeyId) {
-                        span.setAttribute(AWS_ATTRIBUTE_KEYS.AWS_AUTH_ACCOUNT_ACCESS_KEY, credentials.accessKeyId);
+                // Skip credential extraction if the context is not injectable
+                if (suppressedContext.getValue(SKIP_CREDENTIAL_CAPTURE_KEY)) {
+                  await otelContext.with(suppressedContext, async () => {
+                    try {
+                      const credsProvider = this.config.credentials;
+                      if (credsProvider instanceof Function) {
+                        const credentials = await credsProvider();
+                        if (credentials?.accessKeyId) {
+                          span.setAttribute(AWS_ATTRIBUTE_KEYS.AWS_AUTH_ACCOUNT_ACCESS_KEY, credentials.accessKeyId);
+                        }
                       }
-                    }
-                    if (this.config.region instanceof Function) {
-                      const region = await this.config.region();
-                      if (region) {
-                        span.setAttribute(AWS_ATTRIBUTE_KEYS.AWS_AUTH_REGION, region);
+                      if (this.config.region instanceof Function) {
+                        const region = await this.config.region();
+                        if (region) {
+                          span.setAttribute(AWS_ATTRIBUTE_KEYS.AWS_AUTH_REGION, region);
+                        }
                       }
+                    } catch (err) {
+                      diag.debug('Failed to get auth account access key and region:', err);
                     }
-                  } catch (err) {
-                    diag.debug('Failed to get auth account access key and region:', err);
-                  }
-                });
+                  });
+                }
               }
 
               return await next(middlewareArgs);
diff --git a/aws-distro-opentelemetry-node-autoinstrumentation/test/patches/instrumentation-patch.test.ts b/aws-distro-opentelemetry-node-autoinstrumentation/test/patches/instrumentation-patch.test.ts
@@ -15,6 +15,7 @@ import {
   TextMapSetter,
   INVALID_SPAN_CONTEXT,
   SpanStatusCode,
+  ROOT_CONTEXT,
 } from '@opentelemetry/api';
 import { getNodeAutoInstrumentations } from '@opentelemetry/auto-instrumentations-node';
 import { Instrumentation } from '@opentelemetry/instrumentation';
@@ -695,6 +696,50 @@ describe('InstrumentationPatchTest', () => {
         ).toBeTruthy();
         expect(mockSpan.setAttribute.calledWith(AWS_ATTRIBUTE_KEYS.AWS_AUTH_REGION, 'us-west-2')).toBeTruthy();
       });
+
+      it('Skips credential extraction with non-injectable NoOp context', async () => {
+        let credentialsProviderCallCount = 0;
+        const NoOpContext = Object.create(ROOT_CONTEXT);
+        NoOpContext.setValue = function () {
+          return this;
+        };
+        NoOpContext.deleteValue = function () {
+          return this;
+        };
+
+        const mockSpan = sinon.createStubInstance(SDKSpan);
+        const ctx = trace.setSpan(NoOpContext, mockSpan as unknown as Span);
+
+        sinon.stub(otelContext, 'active').returns(ctx);
+        sinon.stub(trace, 'getSpan').returns(mockSpan as unknown as Span);
+
+        const middlewareStack: any[] = [];
+        const recursiveSdkSend = extractAwsSdkInstrumentation(PATCHED_INSTRUMENTATIONS)
+          ['_getV3SmithyClientSendPatch'](() => Promise.resolve())
+          .bind({
+            middlewareStack: { add: (middleware: any, config: any) => middlewareStack.push([middleware, config]) },
+            config: {
+              // Credentials provider that recursively calls SDK (simulates STS)
+              credentials: async () => {
+                credentialsProviderCallCount++;
+                await middlewareStack[1][0](() => Promise.resolve(), null)({});
+                return { accessKeyId: 'test-access-key' };
+              },
+              region: () => Promise.resolve('us-west-2'),
+            },
+          });
+
+        // Initial SDK call triggers middleware setup
+        await recursiveSdkSend({}, null);
+
+        // Execute credentials extraction middleware
+        await middlewareStack[1][0](() => Promise.resolve(), null)({});
+
+        expect(credentialsProviderCallCount).toBe(0);
+        expect(
+          mockSpan.setAttribute.calledWith(AWS_ATTRIBUTE_KEYS.AWS_AUTH_ACCOUNT_ACCESS_KEY, 'test-access-key')
+        ).toBeFalsy();
+      });
     });
 
     it('prevents recursion when credentials provider makes STS calls', async () => {
