Handle otel context failure gracefully

Author: blairhyy-amazon

aws-distro-opentelemetry-node-autoinstrumentation/src/patches/instrumentation-patch.ts

@@ -406,17 +406,28 @@ function patchAwsSdkInstrumentation(instrumentation: Instrumentation): void {
           this.middlewareStack?.add(
             (next: any, context: any) => async (middlewareArgs: any) => {
               const activeContext = otelContext.active();
+              if (!activeContext) {
+                return await next(middlewareArgs);
+              }
+
               // Skip credential extraction if this is a nested call from another credential extraction
               // This prevents infinite recursion when credential providers make AWS API calls
-              if (activeContext.getValue(SKIP_CREDENTIAL_CAPTURE_KEY)) {
+              if (activeContext.getValue?.(SKIP_CREDENTIAL_CAPTURE_KEY)) {
                 return await next(middlewareArgs);
               }
               const span = trace.getSpan(activeContext);
 
               if (span) {
                 // suppressTracing prevents span generation for internal credential extraction calls
                 // which are implementation details and not relevant to the application's telemetry
-                const suppressedContext = suppressTracing(activeContext).setValue(SKIP_CREDENTIAL_CAPTURE_KEY, true);
+                let suppressedContext;
+                try {
+                  suppressedContext = suppressTracing(activeContext);
+                  suppressedContext.setValue(SKIP_CREDENTIAL_CAPTURE_KEY, true);
+                } catch {
+                  return await next(middlewareArgs);
+                }
+
                 await otelContext.with(suppressedContext, async () => {
                   try {
                     const credsProvider = this.config.credentials;

aws-distro-opentelemetry-node-autoinstrumentation/test/patches/instrumentation-patch.test.ts

@@ -692,59 +692,88 @@ describe('InstrumentationPatchTest', () => {
       });
     });
 
-    it('Prevents recursion when credentials provider makes STS calls', async () => {
-      // Track credentials provider calls and skip flag state
-      let credentialsProviderCallCount = 0;
-      let skipCredentialCaptureValue = false;
-
-      // Mock span for attribute capture
-      const mockSpan = { setAttribute: sinon.stub() };
-      sinon.stub(trace, 'getSpan').returns(mockSpan as unknown as Span);
-
-      // Mock OpenTelemetry context to track skip-credential-capture flag
-      const mockContext = {
-        getValue: (key: symbol) =>
-          key.toString().includes('skip-credential-capture') ? skipCredentialCaptureValue : undefined,
-        setValue: (key: symbol, value: any) => {
-          if (key.toString().includes('skip-credential-capture')) skipCredentialCaptureValue = value;
-          return mockContext;
-        },
-        deleteValue: () => mockContext,
-      };
-      sinon.stub(context, 'active').returns(mockContext);
-
-      // Capture middleware added to stack
-      const middlewareStack: any[] = [];
-      const recursiveSdkSend = extractAwsSdkInstrumentation(PATCHED_INSTRUMENTATIONS)
-        ['_getV3SmithyClientSendPatch'](() => Promise.resolve())
-        .bind({
-          middlewareStack: { add: (middleware: any, config: any) => middlewareStack.push([middleware, config]) },
-          config: {
-            // Credentials provider that recursively calls SDK (simulates STS)
-            credentials: async () => {
-              credentialsProviderCallCount++;
-              await recursiveSdkSend({}, null);
-              return { accessKeyId: 'test-access-key' };
-            },
-            region: () => Promise.resolve('us-west-2'),
+    describe('credential extraction failure handling', () => {
+      let credentialsProviderCallCount: number;
+      let mockSpan: any;
+      let middlewareStack: any[];
+      let recursiveSdkSend: any;
+      let createSdkSend: (recursive?: boolean) => any;
+
+      beforeEach(() => {
+        credentialsProviderCallCount = 0;
+        mockSpan = { setAttribute: sinon.stub() };
+        sinon.stub(trace, 'getSpan').returns(mockSpan as unknown as Span);
+        middlewareStack = [];
+
+        createSdkSend = () => {
+          return extractAwsSdkInstrumentation(PATCHED_INSTRUMENTATIONS)
+            ['_getV3SmithyClientSendPatch'](() => Promise.resolve())
+            .bind({
+              middlewareStack: { add: (middleware: any, config: any) => middlewareStack.push([middleware, config]) },
+              config: {
+                credentials: async () => {
+                  credentialsProviderCallCount++;
+                  await recursiveSdkSend({}, null);
+                  return { accessKeyId: 'test-access-key' };
+                },
+                region: () => Promise.resolve('us-west-2'),
+              },
+            });
+        };
+      });
+
+      afterEach(() => {
+        sinon.restore();
+      });
+
+      it('Prevents recursion when credentials provider makes STS calls', async () => {
+        let skipCredentialCaptureValue = false;
+        const mockContext = {
+          getValue: (key: symbol) =>
+            key.toString().includes('skip-credential-capture') ? skipCredentialCaptureValue : undefined,
+          setValue: (key: symbol, value: any) => {
+            if (key.toString().includes('skip-credential-capture')) skipCredentialCaptureValue = value;
+            return mockContext;
           },
-        });
+          deleteValue: () => mockContext,
+        };
+        sinon.stub(context, 'active').returns(mockContext);
+        recursiveSdkSend = createSdkSend();
 
-      // Initial SDK call triggers middleware setup
-      await recursiveSdkSend({}, null);
-      expect(skipCredentialCaptureValue).toBe(false);
+        await recursiveSdkSend({}, null);
+        await middlewareStack[1][0](() => Promise.resolve(), null)({});
 
-      // Execute credentials extraction middleware
-      await middlewareStack[1][0](() => Promise.resolve(), null)({});
+        expect(credentialsProviderCallCount).toBe(1);
+        expect(skipCredentialCaptureValue).toBe(true);
+        expect(
+          mockSpan.setAttribute.calledWith(AWS_ATTRIBUTE_KEYS.AWS_AUTH_ACCOUNT_ACCESS_KEY, 'test-access-key')
+        ).toBeTruthy();
+      });
+
+      it('Handles undefined active context gracefully', async () => {
+        sinon.stub(context, 'active').returns(undefined as any);
+        recursiveSdkSend = createSdkSend();
 
-      // Verify recursion prevention: only one credentials call despite recursive setup
-      expect(credentialsProviderCallCount).toBe(1);
-      expect(skipCredentialCaptureValue).toBe(true);
-      expect(
-        mockSpan.setAttribute.calledWith(AWS_ATTRIBUTE_KEYS.AWS_AUTH_ACCOUNT_ACCESS_KEY, 'test-access-key')
-      ).toBeTruthy();
+        await recursiveSdkSend({}, null);
+        await middlewareStack[1][0](() => Promise.resolve(), null)({});
+        expect(credentialsProviderCallCount).toBe(0);
+      });
 
-      sinon.restore();
+      it('Handles setValue failure gracefully', async () => {
+        const mockContext = {
+          getValue: () => false,
+          setValue: () => {
+            throw new Error('setValue failed');
+          },
+          deleteValue: () => mockContext,
+        };
+        sinon.stub(context, 'active').returns(mockContext);
+        recursiveSdkSend = createSdkSend();
+
+        await recursiveSdkSend({}, null);
+        await middlewareStack[1][0](() => Promise.resolve(), null)({});
+        expect(credentialsProviderCallCount).toBe(0);
+      });
     });
 
     it('injects trace context header into request via propagator', async () => {