SigV4 Authentication support for http/protobuf exporter

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/aws_opentelemetry_configurator.py

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Modifications Copyright The OpenTelemetry Authors. Licensed under the Apache License 2.0 License.
 import os
+import re
 from logging import Logger, getLogger
 from typing import ClassVar, Dict, List, Type, Union
 
@@ -19,6 +20,7 @@
     AwsMetricAttributesSpanExporterBuilder,
 )
 from amazon.opentelemetry.distro.aws_span_metrics_processor_builder import AwsSpanMetricsProcessorBuilder
+from amazon.opentelemetry.distro.otlp_sigv4_exporter import OTLPAwsSigV4Exporter
 from amazon.opentelemetry.distro.otlp_udp_exporter import OTLPUdpSpanExporter
 from amazon.opentelemetry.distro.sampler.aws_xray_remote_sampler import AwsXRayRemoteSampler
 from amazon.opentelemetry.distro.scope_based_exporter import ScopeBasedPeriodicExportingMetricReader
@@ -315,6 +317,9 @@ def _customize_exporter(span_exporter: SpanExporter, resource: Resource) -> Span
             traces_endpoint = os.environ.get(AWS_XRAY_DAEMON_ADDRESS_CONFIG, "127.0.0.1:2000")
             span_exporter = OTLPUdpSpanExporter(endpoint=traces_endpoint)
 
+    if _is_otlp_endpoint_cloudwatch():
+        span_exporter = OTLPAwsSigV4Exporter(endpoint=os.getenv(OTEL_EXPORTER_OTLP_TRACES_ENDPOINT))
+
     if not _is_application_signals_enabled():
         return span_exporter
 
@@ -328,6 +333,10 @@ def _customize_span_processors(provider: TracerProvider, resource: Resource) ->
     # Construct and set local and remote attributes span processor
     provider.add_span_processor(AttributePropagatingSpanProcessorBuilder().build())
 
+    # Do not export metrics if it's CloudWatch OTLP endpoint
+    if _is_otlp_endpoint_cloudwatch():
+        return
+
     # Export 100% spans and not export Application-Signals metrics if on Lambda.
     if _is_lambda_environment():
         _export_unsampled_span_for_lambda(provider, resource)
@@ -437,6 +446,16 @@ def _is_lambda_environment():
     return AWS_LAMBDA_FUNCTION_NAME_CONFIG in os.environ
 
 
+def _is_otlp_endpoint_cloudwatch():
+    # Detects if it's the OTLP endpoint in CloudWatchs
+    otlp_endpoint = os.environ.get(OTEL_EXPORTER_OTLP_TRACES_ENDPOINT)
+    if not otlp_endpoint:
+        return False
+    pattern = r"xray\.([a-z0-9-]+)\.amazonaws\.com"
+
+    return bool(re.match(pattern, otlp_endpoint.lower()))
+
+
 def _get_metric_export_interval():
     export_interval_millis = float(os.environ.get(METRIC_EXPORT_INTERVAL_CONFIG, DEFAULT_METRIC_EXPORT_INTERVAL))
     _logger.debug("Span Metrics export interval: %s", export_interval_millis)

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/otlp_sigv4_exporter.py

@@ -0,0 +1,98 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+import logging
+import re
+from typing import Dict, Optional
+
+import requests
+from botocore import session
+from botocore.auth import NoCredentialsError, SigV4Auth
+from botocore.awsrequest import AWSRequest
+from grpc import Compression
+
+from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter
+
+AWS_SERVICE = "xray"
+
+_logger = logging.getLogger(__name__)
+
+
+class OTLPAwsSigV4Exporter(OTLPSpanExporter):
+
+    def __init__(
+        self,
+        endpoint: Optional[str] = None,
+        certificate_file: Optional[str] = None,
+        client_key_file: Optional[str] = None,
+        client_certificate_file: Optional[str] = None,
+        headers: Optional[Dict[str, str]] = None,
+        timeout: Optional[int] = None,
+        compression: Optional[Compression] = None,
+        rsession: Optional[requests.Session] = None,
+    ):
+
+        self._aws_region = self._validate_exporter_endpoint(endpoint)
+        super().__init__(
+            endpoint=endpoint,
+            certificate_file=certificate_file,
+            client_key_file=client_key_file,
+            client_certificate_file=client_certificate_file,
+            headers=headers,
+            timeout=timeout,
+            compression=compression,
+            session=rsession,
+        )
+
+    def _export(self, serialized_data: bytes):
+        if self._aws_region:
+            request = AWSRequest(
+                method="POST",
+                url=self._endpoint,
+                data=serialized_data,
+                headers={"Content-Type": "application/x-protobuf"},
+            )
+
+            botocore_session = session.Session()
+            credentials = botocore_session.get_credentials()
+            if credentials is not None:
+                signer = SigV4Auth(credentials, AWS_SERVICE, self._aws_region)
+
+                try:
+                    signer.add_auth(request)
+                    self._session.headers.update(dict(request.headers))
+
+                except NoCredentialsError as signing_error:
+                    _logger.error("Failed to sign request: %s", signing_error)
+
+            else:
+                _logger.error("Failed to get credentials to export span to OTLP CloudWatch endpoint")
+
+        return super()._export(serialized_data)
+
+    @staticmethod
+    def _validate_exporter_endpoint(endpoint: str) -> Optional[str]:
+        if not endpoint:
+            return None
+
+        match = re.search(rf"{AWS_SERVICE}\.([a-z0-9-]+)\.amazonaws\.com", endpoint)
+
+        if match:
+            region = match.group(1)
+            xray_regions = session.Session().get_available_regions(AWS_SERVICE)
+            if region in xray_regions:
+                return region
+
+            _logger.error(
+                "Invalid AWS region: %s. Valid regions are %s. Resolving to default endpoint.", region, xray_regions
+            )
+            return None
+
+        _logger.error(
+            "Invalid XRay traces endpoint: %s. Resolving to default endpoint. "
+            "The traces endpoint follows the pattern https://xray.[AWSRegion].amazonaws.com/v1/traces. "
+            "For example, for the US West (Oregon) (us-west-2) Region, the endpoint will be "
+            "https://xray.us-west-2.amazonaws.com/v1/traces.",
+            endpoint,
+        )
+
+        return None