feat(nrawssdk): Accept NEW_RELIC_CLOUD_AWS_ACCOUNT_ID as env var

Author: cade-conklin

v3/go.mod

@@ -7,10 +7,22 @@ require (
 	google.golang.org/protobuf v1.34.2
 )
 
+require github.com/aws/smithy-go v1.24.0 // indirect
+
+require (
+	github.com/aws/aws-sdk-go-v2 v1.41.1
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+)
 
 retract v3.22.0 // release process error corrected in v3.22.1
 
 retract v3.25.0 // release process error corrected in v3.25.1
 
 retract v3.34.0 // this release erronously referred to and invalid protobuf dependency
-retract v3.40.0 // this release erronously had deadlocks in utilization.go and incorrectly added aws-sdk-go to the go.mod file
+
+retract v3.40.0 // this release erronously had deadlocks in utilization.go and incorrectly added aws-sdk-go to the go.mod file
+
+replace github.com/newrelic/go-agent/v3 => /Users/cconklin/team-go/go-agent/./v3

v3/integrations/nrawssdk-v2/example/main.go

@@ -38,18 +38,19 @@ func main() {
 	// Start recording a New Relic transaction
 	txn := app.StartTransaction("My sample transaction")
 
-	ctx := context.Background()
+	ctx := newrelic.NewContext(context.Background(), txn)
 
 	awsConfig, err := config.LoadDefaultConfig(ctx, func(awsConfig *config.LoadOptions) error {
 		// Instrument all new AWS clients with New Relic
-
 		return nil
 	})
-	creds, err := awsConfig.Credentials.Retrieve(ctx)
-	if err != nil {
-		log.Println("Warning couldn't get flags")
+
+	// Ensure transaction is in context for NRAppendMiddlewares
+	if txn != nil {
+		ctx = newrelic.NewContext(ctx, txn)
 	}
-	nrawssdk.AppendMiddlewares(&awsConfig.APIOptions, nil, creds)
+
+	nrawssdk.NRAppendMiddlewares(&awsConfig.APIOptions, ctx, awsConfig)
 	if err != nil {
 		log.Fatal(err)
 	}

v3/integrations/nrawssdk-v2/go.mod

@@ -5,15 +5,39 @@ module github.com/newrelic/go-agent/v3/integrations/nrawssdk-v2
 go 1.24
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.30.4
+	github.com/aws/aws-sdk-go-v2 v1.41.1
 	github.com/aws/aws-sdk-go-v2/config v1.27.31
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.6
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.58.1
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.61.0
 	github.com/aws/aws-sdk-go-v2/service/sqs v1.34.6
-	github.com/aws/smithy-go v1.20.4
+	github.com/aws/smithy-go v1.24.0
 	github.com/newrelic/go-agent/v3 v3.42.0
 )
 
+require (
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.4 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.30 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.5 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+)
 
 replace github.com/newrelic/go-agent/v3 => ../..

v3/integrations/nrawssdk-v2/nrawssdk.go

@@ -28,6 +28,7 @@ package nrawssdk
 
 import (
 	"context"
+	"encoding/base32"
 	"fmt"
 	"net/url"
 	"strconv"
@@ -40,16 +41,22 @@ import (
 	"github.com/aws/smithy-go/middleware"
 	smithymiddle "github.com/aws/smithy-go/middleware"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
-	"github.com/newrelic/go-agent/v3/internal/awssupport"
 	"github.com/newrelic/go-agent/v3/newrelic"
 	"github.com/newrelic/go-agent/v3/newrelic/integrationsupport"
 )
 
+type credentialsResolver interface {
+	AWSAccountIdFromAWSAccessKey(creds aws.Credentials) (string, error)
+}
+
 type nrMiddleware struct {
-	txn   *newrelic.Transaction
-	creds aws.Credentials
+	txn       *newrelic.Transaction
+	accountID string
+	resolver  credentialsResolver
 }
 
+type defaultResolver struct{}
+
 type contextKey string
 
 const (
@@ -77,14 +84,7 @@ func (m nrMiddleware) deserializeMiddleware(stack *smithymiddle.Stack) error {
 		serviceName := awsmiddle.GetServiceID(ctx)
 		operation := awsmiddle.GetOperationName(ctx)
 		region := awsmiddle.GetRegion(ctx)
-
-		creds := awsmiddle.GetSigningCredentials(ctx)
-		accountID, err := awssupport.AWSAccountIdFromAWSAccessKey(creds)
-		if err != nil {
-			accountID = ""
-			fmt.Println(err.Error())
-		}
-
+		accountID := m.accountID
 		var segment endable
 
 		if serviceName == "dynamodb" || serviceName == "DynamoDB" {
@@ -138,7 +138,9 @@ func (m nrMiddleware) deserializeMiddleware(stack *smithymiddle.Stack) error {
 				integrationsupport.AddAgentSpanAttribute(txn, newrelic.AttributeAWSElastSearchDomainEndpoint, httpRequest.URL.String()) // this way I don't have to pull it out of context
 			}
 			// Set additional span attributes
+
 			integrationsupport.AddAgentSpanAttribute(txn, newrelic.AttributeCloudAccountID, accountID) // setting account ID here, why do we only do this if it is an SQS service?
+
 			integrationsupport.AddAgentSpanAttribute(txn,
 				newrelic.AttributeResponseCode, strconv.Itoa(response.StatusCode))
 			integrationsupport.AddAgentSpanAttribute(txn,
@@ -161,7 +163,6 @@ func (m nrMiddleware) serializeMiddleware(stack *middleware.Stack) error {
 		ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler) (
 		out middleware.InitializeOutput, metadata middleware.Metadata, err error) {
 		serviceName := awsmiddle.GetServiceID(ctx)
-		ctx = awsmiddle.SetSigningCredentials(ctx, m.creds)
 		switch serviceName {
 		case "dynamodb", "DynamoDB":
 			ctx = context.WithValue(ctx, dynamodbInputKey, dynamoDBInputFromMiddlewareInput(in))
@@ -229,8 +230,30 @@ func (m nrMiddleware) serializeMiddleware(stack *middleware.Stack) error {
 //	if err != nil {
 //		log.Fatal(err)
 //	}
-func AppendMiddlewares(apiOptions *[]func(*smithymiddle.Stack) error, txn *newrelic.Transaction, creds aws.Credentials) {
-	m := nrMiddleware{txn: txn, creds: creds}
+func AppendMiddlewares(apiOptions *[]func(*smithymiddle.Stack) error, txn *newrelic.Transaction) {
+	m := nrMiddleware{txn: txn}
+	*apiOptions = append(*apiOptions, m.deserializeMiddleware)
+	*apiOptions = append(*apiOptions, m.serializeMiddleware)
+}
+
+func NRAppendMiddlewares(apiOptions *[]func(*smithymiddle.Stack) error, ctx context.Context, awsConfig aws.Config) {
+	txn := newrelic.FromContext(ctx)
+
+	creds, err := awsConfig.Credentials.Retrieve(ctx)
+	if err != nil {
+		fmt.Println("error: Couldn't get AWS Credentials")
+	}
+
+	cfg, ok := txn.Application().Config()
+	m := nrMiddleware{txn: txn, resolver: &defaultResolver{}}
+
+	if ok {
+		err := m.ResolveAWSCredentials(cfg, creds)
+		if err != nil {
+			fmt.Println("error: Couldn't resolve AWS credentials")
+		}
+	}
+
 	*apiOptions = append(*apiOptions, m.deserializeMiddleware)
 	*apiOptions = append(*apiOptions, m.serializeMiddleware)
 }
@@ -291,3 +314,55 @@ func dynamoDBInputFromMiddlewareInput(in middleware.InitializeInput) dynamodbInp
 		return dynamodbInput{}
 	}
 }
+
+func (m *nrMiddleware) ResolveAWSCredentials(cfg newrelic.Config, creds aws.Credentials) error {
+
+	if m.resolver == nil {
+		m.resolver = &defaultResolver{}
+	}
+
+	accountID, err := m.resolver.AWSAccountIdFromAWSAccessKey(creds)
+	if err != nil {
+		return err
+	}
+
+	// Use resolved accountID if:
+	// 1. No accountID is set in config (cfg.CloudAWS.AccountID is empty), OR
+	// 2. Resolved accountID is different from config accountID
+	if cfg.CloudAWS.AccountID == "" || (accountID != "" && accountID != cfg.CloudAWS.AccountID) {
+		m.accountID = accountID
+		return nil
+	}
+
+	// Otherwise use the config accountID
+	m.accountID = cfg.CloudAWS.AccountID
+	return nil
+}
+
+func (m *defaultResolver) AWSAccountIdFromAWSAccessKey(creds aws.Credentials) (string, error) {
+	if creds.AccountID != "" {
+		return creds.AccountID, nil
+	}
+	if creds.AccessKeyID == "" {
+		return "", fmt.Errorf("no access key id found")
+	}
+	if len(creds.AccessKeyID) < 16 {
+		return "", fmt.Errorf("improper access key id format")
+	}
+	trimmedAccessKey := creds.AccessKeyID[4:]
+	decoded, err := base32.StdEncoding.DecodeString(trimmedAccessKey)
+	if err != nil {
+		return "", fmt.Errorf("error decoding access keys")
+	}
+	var bigEndian uint64
+	for i := 0; i < 6; i++ {
+		bigEndian = bigEndian << 8      // shift 8 bits left.  Most significant byte read in first (decoded[i])
+		bigEndian |= uint64(decoded[i]) // apply OR for current byte
+	}
+
+	mask := uint64(0x7fffffffff80)
+
+	num := (bigEndian & mask) >> 7 // apply mask and get rid of last 7 bytes from mask
+
+	return fmt.Sprintf("%d", num), nil
+}