feat: Add SecretsManager Secret ARN to Span Data

yiyuan-he · yiyuan-he · commit 4d85bc6267e6 · 2024-09-23T10:29:36.000-07:00
diff --git a/aws-opentelemetry-distro/src/amazon/opentelemetry/distro/_aws_attribute_keys.py b/aws-opentelemetry-distro/src/amazon/opentelemetry/distro/_aws_attribute_keys.py
@@ -23,3 +23,4 @@
 AWS_BEDROCK_KNOWLEDGE_BASE_ID: str = "aws.bedrock.knowledge_base.id"
 AWS_BEDROCK_AGENT_ID: str = "aws.bedrock.agent.id"
 AWS_BEDROCK_GUARDRAIL_ID: str = "aws.bedrock.guardrail.id"
+AWS_SECRETSMANAGER_SECRET_ARN: str = "aws.secretsmanager.secret.arn"
diff --git a/aws-opentelemetry-distro/src/amazon/opentelemetry/distro/_aws_metric_attribute_generator.py b/aws-opentelemetry-distro/src/amazon/opentelemetry/distro/_aws_metric_attribute_generator.py
@@ -18,6 +18,7 @@
     AWS_REMOTE_RESOURCE_IDENTIFIER,
     AWS_REMOTE_RESOURCE_TYPE,
     AWS_REMOTE_SERVICE,
+    AWS_SECRETSMANAGER_SECRET_ARN,
     AWS_SNS_TOPIC_ARN,
     AWS_SPAN_KIND,
     AWS_SQS_QUEUE_NAME,
@@ -89,6 +90,7 @@
 _NORMALIZED_SNS_SERVICE_NAME: str = "AWS::SNS"
 _NORMALIZED_BEDROCK_SERVICE_NAME: str = "AWS::Bedrock"
 _NORMALIZED_BEDROCK_RUNTIME_SERVICE_NAME: str = "AWS::BedrockRuntime"
+_NORMALIZED_SECRETSMANAGER_SERVICE_NAME: str = "AWS::SecretsManager"
 _DB_CONNECTION_STRING_TYPE: str = "DB::Connection"
 
 # Special DEPENDENCY attribute value if GRAPHQL_OPERATION_TYPE attribute key is present.
@@ -310,6 +312,7 @@ def _normalize_remote_service_name(span: ReadableSpan, service_name: str) -> str
             "Bedrock Agent": _NORMALIZED_BEDROCK_SERVICE_NAME,
             "Bedrock Agent Runtime": _NORMALIZED_BEDROCK_SERVICE_NAME,
             "Bedrock Runtime": _NORMALIZED_BEDROCK_RUNTIME_SERVICE_NAME,
+            "Secrets Manager": _NORMALIZED_SECRETSMANAGER_SERVICE_NAME,
         }
         return aws_sdk_service_mapping.get(service_name, "AWS::" + service_name)
     return service_name
@@ -412,6 +415,9 @@ def _set_remote_type_and_identifier(span: ReadableSpan, attributes: BoundedAttri
         elif is_key_present(span, AWS_SNS_TOPIC_ARN):
             remote_resource_type = _NORMALIZED_SNS_SERVICE_NAME + "::Topic"
             remote_resource_identifier = _escape_delimiters(span.attributes.get(AWS_SNS_TOPIC_ARN))
+        elif is_key_present(span, AWS_SECRETSMANAGER_SECRET_ARN):
+            remote_resource_type = _NORMALIZED_SECRETSMANAGER_SERVICE_NAME + "::Secret"
+            remote_resource_identifier = _escape_delimiters(span.attributes.get(AWS_SECRETSMANAGER_SECRET_ARN))
     elif is_db_span(span):
         remote_resource_type = _DB_CONNECTION_STRING_TYPE
         remote_resource_identifier = _get_db_connection(span)
diff --git a/aws-opentelemetry-distro/src/amazon/opentelemetry/distro/patches/_botocore_patches.py b/aws-opentelemetry-distro/src/amazon/opentelemetry/distro/patches/_botocore_patches.py
@@ -17,8 +17,9 @@
 from opentelemetry.instrumentation.botocore.extensions import _KNOWN_EXTENSIONS
 from opentelemetry.instrumentation.botocore.extensions.sns import _SnsExtension
 from opentelemetry.instrumentation.botocore.extensions.sqs import _SqsExtension
-from opentelemetry.instrumentation.botocore.extensions.types import _AttributeMapT, _AwsSdkExtension
+from opentelemetry.instrumentation.botocore.extensions.types import _AttributeMapT, _AwsSdkExtension, _BotoResultT
 from opentelemetry.semconv.trace import SpanAttributes
+from opentelemetry.trace.span import Span
 
 
 def _apply_botocore_instrumentation_patches() -> None:
@@ -31,6 +32,18 @@ def _apply_botocore_instrumentation_patches() -> None:
     _apply_botocore_sqs_patch()
     _apply_botocore_bedrock_patch()
     _apply_botocore_sns_patch()
+    _apply_botocore_secretsmanager_patch()
+
+
+def _apply_botocore_secretsmanager_patch() -> None:
+    """Botocore instrumentation patch for SecretsManager
+
+    This patch adds an extension to the upstream's list of known extensions for SecretsManager.
+    Extensions allow for custom logic for adding service-specific information to spans,
+    such as attributes. Specifically, we are adding logic to add the
+    AWS_SECRETSMANAGER_SECRET_ARN attribute.
+    """
+    _KNOWN_EXTENSIONS["secretsmanager"] = _lazy_load(".", "_SecretsManagerExtension")
 
 
 def _apply_botocore_sns_patch() -> None:
@@ -132,6 +145,23 @@ def loader():
 # END The OpenTelemetry Authors code
 
 
+class _SecretsManagerExtension(_AwsSdkExtension):
+    def extract_attributes(self, attributes: _AttributeMapT):
+        """
+        SecretId can be secret name or secret arn, the function extracts attributes only if
+        the SecretId parameter is provided as an arn which starts with
+        'arn:aws:secretsmanager:'.
+        """
+        secret_id = self._call_context.params.get("SecretId")
+        if secret_id and secret_id.startswith("arn:aws:secretsmanager:"):
+            attributes["aws.secretsmanager.secret.arn"] = secret_id
+
+    def on_success(self, span: Span, result: _BotoResultT):
+        secret_arn = result.get("ARN")
+        if secret_arn:
+            span.set_attribute("aws.secretsmanager.secret.arn", secret_arn)
+
+
 class _S3Extension(_AwsSdkExtension):
     def extract_attributes(self, attributes: _AttributeMapT):
         bucket_name = self._call_context.params.get("Bucket")
diff --git a/aws-opentelemetry-distro/tests/amazon/opentelemetry/distro/test_aws_metric_attribute_generator.py b/aws-opentelemetry-distro/tests/amazon/opentelemetry/distro/test_aws_metric_attribute_generator.py
@@ -21,6 +21,7 @@
     AWS_REMOTE_RESOURCE_IDENTIFIER,
     AWS_REMOTE_RESOURCE_TYPE,
     AWS_REMOTE_SERVICE,
+    AWS_SECRETSMANAGER_SECRET_ARN,
     AWS_SNS_TOPIC_ARN,
     AWS_SPAN_KIND,
     AWS_SQS_QUEUE_NAME,
@@ -879,6 +880,7 @@ def test_normalize_remote_service_name_aws_sdk(self):
         self.validate_aws_sdk_service_normalization("Bedrock Agent Runtime", "AWS::Bedrock")
         self.validate_aws_sdk_service_normalization("Bedrock Runtime", "AWS::BedrockRuntime")
         self.validate_aws_sdk_service_normalization("SNS", "AWS::SNS")
+        self.validate_aws_sdk_service_normalization("Secrets Manager", "AWS::SecretsManager")
 
     def validate_aws_sdk_service_normalization(self, service_name: str, expected_remote_service: str):
         self._mock_attribute([SpanAttributes.RPC_SYSTEM, SpanAttributes.RPC_SERVICE], ["aws-api", service_name])
@@ -1090,6 +1092,18 @@ def test_sdk_client_span_with_remote_resource_attributes(self):
         self._validate_remote_resource_attributes("AWS::Bedrock::Model", "test.service_^^id")
         self._mock_attribute([GEN_AI_REQUEST_MODEL], [None])
 
+        # Validate behaviour of AWS_SECRETSMANAGER_SECRET_ARN attribute, then remove it
+        self._mock_attribute(
+            [AWS_SECRETSMANAGER_SECRET_ARN],
+            ["arn:aws:secretsmanager:us-east-1:123456789012:secret:secret_name-lERW9H"],
+            keys,
+            values,
+        )
+        self._validate_remote_resource_attributes(
+            "AWS::SecretsManager::Secret", "arn:aws:secretsmanager:us-east-1:123456789012:secret:secret_name-lERW9H"
+        )
+        self._mock_attribute([AWS_SECRETSMANAGER_SECRET_ARN], [None])
+
         self._mock_attribute([SpanAttributes.RPC_SYSTEM], [None])
 
     def test_client_db_span_with_remote_resource_attributes(self):
diff --git a/aws-opentelemetry-distro/tests/amazon/opentelemetry/distro/test_instrumentation_patch.py b/aws-opentelemetry-distro/tests/amazon/opentelemetry/distro/test_instrumentation_patch.py
@@ -27,6 +27,7 @@
 _BEDROCK_KNOWLEDGEBASE_ID: str = "KnowledgeBaseId"
 _GEN_AI_SYSTEM: str = "aws_bedrock"
 _GEN_AI_REQUEST_MODEL: str = "genAiReuqestModelId"
+_SECRET_ARN: str = "arn:aws:secretsmanager:us-west-2:000000000000:secret:testSecret-ABCDEF"
 
 # Patch names
 GET_DISTRIBUTION_PATCH: str = (
@@ -147,6 +148,9 @@ def _test_unpatched_botocore_instrumentation(self):
         # BedrockRuntime
         self.assertFalse("bedrock-runtime" in _KNOWN_EXTENSIONS, "Upstream has added a bedrock-runtime extension")
 
+        # SecretsManager
+        self.assertFalse("secretsmanager" in _KNOWN_EXTENSIONS, "Upstream has added a SecretsManager extension")
+
     def _test_unpatched_gevent_instrumentation(self):
         self.assertFalse(gevent.monkey.is_module_patched("os"), "gevent os module has been patched")
         self.assertFalse(gevent.monkey.is_module_patched("thread"), "gevent thread module has been patched")
@@ -212,6 +216,15 @@ def _test_patched_botocore_instrumentation(self):
         self.assertEqual(bedrock_runtime_attributes["gen_ai.system"], _GEN_AI_SYSTEM)
         self.assertEqual(bedrock_runtime_attributes["gen_ai.request.model"], _GEN_AI_REQUEST_MODEL)
 
+        # SecretsManager
+        self.assertTrue("secretsmanager" in _KNOWN_EXTENSIONS)
+        secretsmanager_attributes: Dict[str, str] = _do_extract_secretsmanager_attributes()
+        self.assertTrue("aws.secretsmanager.secret.arn" in secretsmanager_attributes)
+        self.assertEqual(secretsmanager_attributes["aws.secretsmanager.secret.arn"], _SECRET_ARN)
+        secretsmanager_success_attributes: Dict[str, str] = _do_on_success_secretsmanager()
+        self.assertTrue("aws.secretsmanager.secret.arn" in secretsmanager_success_attributes)
+        self.assertEqual(secretsmanager_success_attributes["aws.secretsmanager.secret.arn"], _SECRET_ARN)
+
     def _test_patched_gevent_os_ssl_instrumentation(self):
         # Only ssl and os module should have been patched since the environment variable was set to 'os, ssl'
         self.assertTrue(gevent.monkey.is_module_patched("ssl"), "gevent ssl module has not been patched")
@@ -365,6 +378,18 @@ def _do_on_success_bedrock(service, operation=None) -> Dict[str, str]:
     return _do_on_success(service, result, operation)
 
 
+def _do_extract_secretsmanager_attributes() -> Dict[str, str]:
+    service_name: str = "secretsmanager"
+    params: Dict[str, str] = {"SecretId": _SECRET_ARN}
+    return _do_extract_attributes(service_name, params)
+
+
+def _do_on_success_secretsmanager() -> Dict[str, str]:
+    service_name: str = "secretsmanager"
+    result: Dict[str, Any] = {"ARN": _SECRET_ARN}
+    return _do_on_success(service_name, result)
+
+
 def _do_extract_attributes(service_name: str, params: Dict[str, Any], operation: str = None) -> Dict[str, str]:
     mock_call_context: MagicMock = MagicMock()
     mock_call_context.params = params
