Skip to content

feat: Add auto-instrumentation support for AWS Secrets Manager SDK v1 #14027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 20, 2025
Merged

feat: Add auto-instrumentation support for AWS Secrets Manager SDK v1 #14027

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
87aae70
feat: Add auto-instrumentation support for AWS Secrets Manager SDK v1
lukeina2z Jun 13, 2025
e13f80a
Address code review feedback:
lukeina2z Jun 13, 2025
7d9d617
./gradlew spotlessApply
otelbot[bot] Jun 13, 2025
5ab1706
Removed redundant null check.
lukeina2z Jun 16, 2025
6fd5587
Improve dependency configuration to support testing with the latest v…
lukeina2z Jun 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion instrumentation/aws-sdk/aws-sdk-1.11/library/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ dependencies {
latestDepTestLibrary("com.amazonaws:aws-java-sdk-sqs:1.12.583") // documented limitation
}

if (!(findProperty("testLatestDeps") as Boolean)) {
val testLatestDeps = findProperty("testLatestDeps") as Boolean
if (!testLatestDeps) {
configurations.testRuntimeClasspath {
resolutionStrategy {
eachDependency {
Expand All @@ -36,12 +37,26 @@ if (!(findProperty("testLatestDeps") as Boolean)) {
}
}

testing {
suites {
val testSecretsManager by registering(JvmTestSuite::class) {
dependencies {
implementation(project())
implementation(project(":instrumentation:aws-sdk:aws-sdk-1.11:testing"))
version = if (testLatestDeps) "latest.release" else "1.12.80"
implementation("com.amazonaws:aws-java-sdk-secretsmanager:$version")
}
}
}
}

tasks {
val testStableSemconv by registering(Test::class) {
jvmArgs("-Dotel.semconv-stability.opt-in=database")
}

check {
dependsOn(testing.suites)
dependsOn(testStableSemconv)
}
}
14 changes: 12 additions & 2 deletions ...rc/main/java/io/opentelemetry/instrumentation/awssdk/v1_11/AwsSdkAttributesExtractor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ class AwsSdkAttributesExtractor implements AttributesExtractor<Request<?>, Respo
private static final AttributeKey<String> AWS_REQUEST_ID = stringKey("aws.request_id");

// Copied from AwsIncubatingAttributes
private static final AttributeKey<String> AWS_SECRETSMANAGER_SECRET_ARN =
stringKey("aws.secretsmanager.secret.arn");
private static final AttributeKey<String> AWS_STEP_FUNCTIONS_ACTIVITY_ARN =
stringKey("aws.step_functions.activity.arn");
private static final AttributeKey<String> AWS_STEP_FUNCTIONS_STATE_MACHINE_ARN =
Expand Down Expand Up @@ -62,8 +64,9 @@ public void onEnd(
Request<?> request,
@Nullable Response<?> response,
@Nullable Throwable error) {
if (response != null) {
Object awsResp = response.getAwsResponse();
Object awsResp = getAwsResponse(response);
if (awsResp != null) {
setAttribute(attributes, AWS_SECRETSMANAGER_SECRET_ARN, awsResp, RequestAccess::getSecretArn);
Copy link
Contributor

@laurit laurit Jun 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps there should be a null check for awsResp so you wouldn't need to do it in RequestAccess.
One thing that is confusing for me is that in case of secret manager you test CreateSecretRequest so it is understandable that the arn is on the response. For step functions you test DescribeStateMachineRequest and DescribeActivityRequest there in a real application shouldn't the arn already be set on the request when running these agains real aws service? I guess there is also CreateStateMachineRequest where you'd need to read the arn from the response, but aws2 version doesn't seem to handle that. It would be nice to have all paths tested and aligned between aws1 and 2 sdks.
In this PR reading the secret arn from the request isn't really tested. And as far as I can tell it wouldn't work for DescribeSecretRequest since that one seems to use getSecretId instead of getARN.

Copy link
Contributor Author

@lukeina2z lukeina2z Jun 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are great feedback. Thank you @laurit.

  1. Added a null check at the awsResp level.
  2. Removed the call to getARN() from the request. In Secrets Manager, the request uses secretId, which is not necessarily an ARN. This change aligns with the V2 implementation. The ARN will now be retrieved from the response. A new test has been added using DescribeSecretRequest.
  3. Step Functions will be addressed in a separate PR.

setAttribute(
attributes,
AWS_STEP_FUNCTIONS_STATE_MACHINE_ARN,
Expand Down Expand Up @@ -106,4 +109,11 @@ public static void setAttribute(
attributes.put(key, value);
}
}

private static Object getAwsResponse(Response<?> response) {
if (response == null) {
return null;
}
return response.getAwsResponse();
}
}
18 changes: 12 additions & 6 deletions ...11/library/src/main/java/io/opentelemetry/instrumentation/awssdk/v1_11/RequestAccess.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
import javax.annotation.Nullable;

final class RequestAccess {
private static final String SECRETS_MANAGER_REQUEST_CLASS_PREFIX =
"com.amazonaws.services.secretsmanager.model.";
private static final String STEP_FUNCTIONS_REQUEST_CLASS_PREFIX =
"com.amazonaws.services.stepfunctions.model.";

Expand All @@ -22,20 +24,20 @@ protected RequestAccess computeValue(Class<?> type) {
}
};

@Nullable
static String getSecretArn(Object request) {
RequestAccess access = REQUEST_ACCESSORS.get(request.getClass());
return invokeOrNull(access.getSecretArn, request);
}

@Nullable
static String getStepFunctionsActivityArn(Object request) {
if (request == null) {
return null;
}
RequestAccess access = REQUEST_ACCESSORS.get(request.getClass());
return invokeOrNull(access.getStepFunctionsActivityArn, request);
}

@Nullable
static String getStateMachineArn(Object request) {
if (request == null) {
return null;
}
RequestAccess access = REQUEST_ACCESSORS.get(request.getClass());
return invokeOrNull(access.getStateMachineArn, request);
}
Expand Down Expand Up @@ -97,6 +99,7 @@ private static String invokeOrNull(@Nullable MethodHandle method, Object obj) {
@Nullable private final MethodHandle getBucketName;
@Nullable private final MethodHandle getQueueUrl;
@Nullable private final MethodHandle getQueueName;
@Nullable private final MethodHandle getSecretArn;
@Nullable private final MethodHandle getStreamName;
@Nullable private final MethodHandle getTableName;
@Nullable private final MethodHandle getTopicArn;
Expand All @@ -112,6 +115,9 @@ private RequestAccess(Class<?> clz) {
getTableName = findAccessorOrNull(clz, "getTableName");
getTopicArn = findAccessorOrNull(clz, "getTopicArn");
getTargetArn = findAccessorOrNull(clz, "getTargetArn");

boolean isSecretsManager = clz.getName().startsWith(SECRETS_MANAGER_REQUEST_CLASS_PREFIX);
getSecretArn = isSecretsManager ? findAccessorOrNull(clz, "getARN") : null;
boolean isStepFunction = clz.getName().startsWith(STEP_FUNCTIONS_REQUEST_CLASS_PREFIX);
getStateMachineArn = isStepFunction ? findAccessorOrNull(clz, "getStateMachineArn") : null;
getStepFunctionsActivityArn = isStepFunction ? findAccessorOrNull(clz, "getActivityArn") : null;
Expand Down
32 changes: 32 additions & 0 deletions ...sManager/java/io/opentelemetry/instrumentation/awssdk/v1_11/SecretsManagerClientTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/*
* Copyright The OpenTelemetry Authors
* SPDX-License-Identifier: Apache-2.0
*/

package io.opentelemetry.instrumentation.awssdk.v1_11;

import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import io.opentelemetry.instrumentation.testing.junit.InstrumentationExtension;
import io.opentelemetry.instrumentation.testing.junit.LibraryInstrumentationExtension;
import org.junit.jupiter.api.extension.RegisterExtension;

class SecretsManagerClientTest extends AbstractSecretsManagerClientTest {
@RegisterExtension
private static final InstrumentationExtension testing = LibraryInstrumentationExtension.create();

@Override
protected InstrumentationExtension testing() {
return testing;
}

@Override
public AWSSecretsManagerClientBuilder configureClient(
AWSSecretsManagerClientBuilder clientBuilder) {

return clientBuilder.withRequestHandlers(
AwsSdkTelemetry.builder(testing().getOpenTelemetry())
.setCaptureExperimentalSpanAttributes(true)
.build()
.newRequestHandler());
}
}
1 change: 1 addition & 0 deletions instrumentation/aws-sdk/aws-sdk-1.11/testing/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ dependencies {
compileOnly("com.amazonaws:aws-java-sdk-kinesis:1.11.106")
compileOnly("com.amazonaws:aws-java-sdk-rds:1.11.106")
compileOnly("com.amazonaws:aws-java-sdk-s3:1.11.106")
compileOnly("com.amazonaws:aws-java-sdk-secretsmanager:1.12.80")
compileOnly("com.amazonaws:aws-java-sdk-sns:1.11.106")
compileOnly("com.amazonaws:aws-java-sdk-sqs:1.11.106")
compileOnly("com.amazonaws:aws-java-sdk-stepfunctions:1.11.106")
Expand Down
93 changes: 93 additions & 0 deletions .../java/io/opentelemetry/instrumentation/awssdk/v1_11/AbstractSecretsManagerClientTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
/*
* Copyright The OpenTelemetry Authors
* SPDX-License-Identifier: Apache-2.0
*/

package io.opentelemetry.instrumentation.awssdk.v1_11;

import static io.opentelemetry.sdk.testing.assertj.OpenTelemetryAssertions.equalTo;
import static io.opentelemetry.semconv.incubating.AwsIncubatingAttributes.AWS_SECRETSMANAGER_SECRET_ARN;
import static java.util.Collections.singletonList;

import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import com.amazonaws.services.secretsmanager.model.CreateSecretRequest;
import com.amazonaws.services.secretsmanager.model.DescribeSecretRequest;
import io.opentelemetry.sdk.testing.assertj.AttributeAssertion;
import io.opentelemetry.testing.internal.armeria.common.HttpResponse;
import io.opentelemetry.testing.internal.armeria.common.HttpStatus;
import io.opentelemetry.testing.internal.armeria.common.MediaType;
import java.util.List;
import org.junit.jupiter.api.Test;

public abstract class AbstractSecretsManagerClientTest extends AbstractBaseAwsClientTest {

public abstract AWSSecretsManagerClientBuilder configureClient(
AWSSecretsManagerClientBuilder client);

@Override
protected boolean hasRequestId() {
return false;
}

@Test
public void sendCreateSecretRequestWithMockedResponse() throws Exception {
AWSSecretsManagerClientBuilder clientBuilder = AWSSecretsManagerClientBuilder.standard();
AWSSecretsManager client =
configureClient(clientBuilder)
.withEndpointConfiguration(endpoint)
.withCredentials(credentialsProvider)
.build();

String body =
"{"
+ "\"ARN\": \"arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3\","
+ "\"Name\": \"MyTestDatabaseSecret\","
+ "\"VersionId\": \"EXAMPLE1-90ab-cdef-fedc-ba987SECRET1\""
+ "}";
server.enqueue(HttpResponse.of(HttpStatus.OK, MediaType.PLAIN_TEXT_UTF_8, body));

Object response =
client.createSecret(
new CreateSecretRequest().withName("secretName").withSecretString("secretValue"));

List<AttributeAssertion> additionalAttributes =
singletonList(
equalTo(
AWS_SECRETSMANAGER_SECRET_ARN,
"arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3"));

assertRequestWithMockedResponse(
response, client, "AWSSecretsManager", "CreateSecret", "POST", additionalAttributes);
}

@Test
public void sendDescribeSecretRequestWithMockedResponse() throws Exception {
AWSSecretsManagerClientBuilder clientBuilder = AWSSecretsManagerClientBuilder.standard();
AWSSecretsManager client =
configureClient(clientBuilder)
.withEndpointConfiguration(endpoint)
.withCredentials(credentialsProvider)
.build();

String body =
"{"
+ "\"ARN\": \"arn:aws:secretsmanager:us-east-1:123456789012:secret:My-Secret-Id-WzAXar\","
+ "\"Name\": \"My-Secret-Id\","
+ "\"VersionId\": \"EXAMPLE1-90ab-cdef-fedc-ba987SECRET1\""
+ "}";

server.enqueue(HttpResponse.of(HttpStatus.OK, MediaType.PLAIN_TEXT_UTF_8, body));
Object response =
client.describeSecret(new DescribeSecretRequest().withSecretId("My-Secret-Id"));

List<AttributeAssertion> additionalAttributes =
singletonList(
equalTo(
AWS_SECRETSMANAGER_SECRET_ARN,
"arn:aws:secretsmanager:us-east-1:123456789012:secret:My-Secret-Id-WzAXar"));

assertRequestWithMockedResponse(
response, client, "AWSSecretsManager", "DescribeSecret", "POST", additionalAttributes);
}
}
Loading