Skip credential extraction if the context is not injectable

Author: blairhyy-amazon

aws-distro-opentelemetry-node-autoinstrumentation/src/patches/instrumentation-patch.ts

@@ -470,6 +470,10 @@ function patchAwsSdkInstrumentation(instrumentation: Instrumentation): void {
                 // suppressTracing prevents span generation for internal credential extraction calls
                 // which are implementation details and not relevant to the application's telemetry
                 const suppressedContext = suppressTracing(activeContext).setValue(SKIP_CREDENTIAL_CAPTURE_KEY, true);
+                // Skip credential extraction if the context is not injectable
+                if (!suppressedContext.getValue(SKIP_CREDENTIAL_CAPTURE_KEY)) {
+                  return await next(middlewareArgs);
+                }
                 await otelContext.with(suppressedContext, async () => {
                   try {
                     const credsProvider = this.config.credentials;

aws-distro-opentelemetry-node-autoinstrumentation/test/patches/instrumentation-patch.test.ts

@@ -15,6 +15,7 @@ import {
   TextMapSetter,
   INVALID_SPAN_CONTEXT,
   SpanStatusCode,
+  ROOT_CONTEXT,
 } from '@opentelemetry/api';
 import { getNodeAutoInstrumentations } from '@opentelemetry/auto-instrumentations-node';
 import { Instrumentation } from '@opentelemetry/instrumentation';
@@ -695,6 +696,45 @@ describe('InstrumentationPatchTest', () => {
         ).toBeTruthy();
         expect(mockSpan.setAttribute.calledWith(AWS_ATTRIBUTE_KEYS.AWS_AUTH_REGION, 'us-west-2')).toBeTruthy();
       });
+
+      it('Skips credential extraction with non-injectable NoOp context', async () => {
+        let credentialsProviderCallCount = 0;
+        const NoOpContext = Object.create(ROOT_CONTEXT);
+        NoOpContext.setValue = function() { return this; };
+        NoOpContext.deleteValue = function() { return this; };
+        NoOpContext.getValue = function() { return undefined; };
+        
+        const mockSpan = sinon.createStubInstance(SDKSpan);
+        const ctx = trace.setSpan(NoOpContext, mockSpan as unknown as Span);
+        
+        sinon.stub(otelContext, 'active').returns(ctx);
+        sinon.stub(trace, 'getSpan').returns(mockSpan as unknown as Span);
+        
+        const middlewareStack: any[] = [];
+        const recursiveSdkSend = extractAwsSdkInstrumentation(PATCHED_INSTRUMENTATIONS)
+          ['_getV3SmithyClientSendPatch'](() => Promise.resolve())
+          .bind({
+            middlewareStack: { add: (middleware: any, config: any) => middlewareStack.push([middleware, config]) },
+            config: {
+              // Credentials provider that recursively calls SDK (simulates STS)
+              credentials: async () => {
+                credentialsProviderCallCount++;
+                await middlewareStack[1][0](() => Promise.resolve(), null)({});
+                return { accessKeyId: 'test-access-key' };
+              },
+              region: () => Promise.resolve('us-west-2'),
+            },
+          });
+
+        // Initial SDK call triggers middleware setup
+        await recursiveSdkSend({}, null);
+
+        // Execute credentials extraction middleware
+        await middlewareStack[1][0](() => Promise.resolve(), null)({});
+
+        expect(credentialsProviderCallCount).toBe(0);
+        expect(mockSpan.setAttribute.calledWith(AWS_ATTRIBUTE_KEYS.AWS_AUTH_ACCOUNT_ACCESS_KEY, 'test-access-key')).toBeFalsy();
+      });
     });
 
     it('prevents recursion when credentials provider makes STS calls', async () => {