Add Semantic Convention Support for Amazon Secrets Manager Attributes

This PR adds the aws.secretsmanager.secret.arn semantic convention attribute for the following AWS resources:

AWS Secrets Manager SDK

The Secret ARN is extracted from both request and response objects, and this behavior is covered by unit tests.

Tests Run:
npm run compile
npm run lint
npm run test

All newly added tests pass, and no regressions were found.

Backward Compatibility:
This change is fully backward compatible. It introduces instrumentation for an additional AWS resource without modifying existing behavior in the auto-instrumentation library.

Author: lukeina2z

packages/instrumentation-aws-sdk/package.json

@@ -59,6 +59,7 @@
     "@aws-sdk/client-kinesis": "^3.85.0",
     "@aws-sdk/client-lambda": "^3.85.0",
     "@aws-sdk/client-s3": "^3.85.0",
+    "@aws-sdk/client-secrets-manager": "3.85.0",
     "@aws-sdk/client-sns": "^3.85.0",
     "@aws-sdk/client-sqs": "^3.85.0",
     "@aws-sdk/types": "^3.370.0",

packages/instrumentation-aws-sdk/src/semconv.ts

@@ -159,6 +159,16 @@ export const GEN_AI_TOKEN_TYPE_VALUE_INPUT = 'input' as const;
  */
 export const GEN_AI_TOKEN_TYPE_VALUE_OUTPUT = 'output' as const;
 
+/**
+ * Originally from '@opentelemetry/semantic-conventions/incubating'
+ * https://github.com/open-telemetry/semantic-conventions/blob/main/docs/registry/attributes/aws.md#amazon-secrets-manager-attributes
+ * The ARN of the Secret stored in the Secrets Mangger
+ * @example arn:aws:secretsmanager:us-east-1:123456789012:secret:SecretName-6RandomCharacters
+ * @experimental This attribute is experimental and is subject to breaking changes in minor releases of `@opentelemetry/semantic-conventions`.
+ */
+export const ATTR_AWS_SECRETSMANAGER_SECRET_ARN =
+  'aws.secretsmanager.secret.arn' as const;
+
 /**
  * Originally from '@opentelemetry/semantic-conventions/incubating'
  * https://github.com/open-telemetry/semantic-conventions/blob/main/docs/registry/attributes/aws.md#amazon-sns-attributes

packages/instrumentation-aws-sdk/src/services/ServicesExtensions.ts

@@ -23,6 +23,7 @@ import {
 } from '../types';
 import { BedrockRuntimeServiceExtension } from './bedrock-runtime';
 import { DynamodbServiceExtension } from './dynamodb';
+import { SecretsManagerServiceExtension } from './secretsmanager';
 import { SnsServiceExtension } from './sns';
 import { LambdaServiceExtension } from './lambda';
 import { S3ServiceExtension } from './s3';
@@ -32,6 +33,7 @@ export class ServicesExtensions implements ServiceExtension {
   services: Map<string, ServiceExtension> = new Map();
 
   constructor() {
+    this.services.set('SecretsManager', new SecretsManagerServiceExtension());
     this.services.set('SQS', new SqsServiceExtension());
     this.services.set('SNS', new SnsServiceExtension());
     this.services.set('DynamoDB', new DynamodbServiceExtension());

packages/instrumentation-aws-sdk/src/services/secretsmanager.ts

@@ -0,0 +1,60 @@
+/*
+ * Copyright The OpenTelemetry Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { Attributes, Span, SpanKind, Tracer } from '@opentelemetry/api';
+import { ATTR_AWS_SECRETSMANAGER_SECRET_ARN } from '../semconv';
+import { RequestMetadata, ServiceExtension } from './ServiceExtension';
+import {
+  NormalizedRequest,
+  NormalizedResponse,
+  AwsSdkInstrumentationConfig,
+} from '../types';
+
+export class SecretsManagerServiceExtension implements ServiceExtension {
+  requestPreSpanHook(
+    request: NormalizedRequest,
+    _config: AwsSdkInstrumentationConfig
+  ): RequestMetadata {
+    const secretId = request.commandInput?.SecretId;
+    const spanKind: SpanKind = SpanKind.CLIENT;
+    let spanName: string | undefined;
+    const spanAttributes: Attributes = {};
+    if (
+      typeof secretId === 'string' &&
+      secretId.startsWith('arn:aws:secretsmanager:')
+    ) {
+      spanAttributes[ATTR_AWS_SECRETSMANAGER_SECRET_ARN] = secretId;
+    }
+
+    return {
+      isIncoming: false,
+      spanAttributes,
+      spanKind,
+      spanName,
+    };
+  }
+
+  responseHook(
+    response: NormalizedResponse,
+    span: Span,
+    tracer: Tracer,
+    config: AwsSdkInstrumentationConfig
+  ): void {
+    const secretArn = response.data?.ARN;
+    if (secretArn) {
+      span.setAttribute(ATTR_AWS_SECRETSMANAGER_SECRET_ARN, secretArn);
+    }
+  }
+}

packages/instrumentation-aws-sdk/test/secretsmanager.test.ts

@@ -0,0 +1,121 @@
+/*
+ * Copyright The OpenTelemetry Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { getTestSpans } from '@opentelemetry/contrib-test-utils';
+import { SpanKind } from '@opentelemetry/api';
+import { ReadableSpan } from '@opentelemetry/sdk-trace-base';
+import { ATTR_AWS_SECRETSMANAGER_SECRET_ARN } from '@opentelemetry/semantic-conventions/incubating';
+
+import { SecretsManager } from '@aws-sdk/client-secrets-manager';
+
+import { expect } from 'expect';
+import * as nock from 'nock';
+
+const region = 'us-east-1';
+
+describe('SecretsManager', () => {
+  let secretsManager: SecretsManager;
+  beforeEach(() => {
+    secretsManager = new SecretsManager({
+      region: region,
+      credentials: {
+        accessKeyId: 'abcde',
+        secretAccessKey: 'abcde',
+      },
+    });
+  });
+
+  describe('DescribeSecret', () => {
+    const testParams = [
+      'testId',
+      'badarn:aws:secretsmanager:us-weast-1:123456789123:secret:testId123456',
+      'arn:aws:secretsmanager:us-east-1:123456789123:secret:testId123456',
+    ];
+
+    testParams.forEach(secretId => {
+      it('should generate secret arn attribute only if secretId is an valid ARN', async () => {
+        nock(`https://secretsmanager.${region}.amazonaws.com/`)
+          .post('/')
+          .reply(200, 'null');
+
+        await secretsManager
+          .describeSecret({
+            SecretId: secretId,
+          })
+          .catch((err: any) => {});
+
+        const testSpans: ReadableSpan[] = getTestSpans();
+        const getDescribeSecretSpans: ReadableSpan[] = testSpans.filter(
+          (s: ReadableSpan) => {
+            return s.name === 'SecretsManager.DescribeSecret';
+          }
+        );
+
+        expect(getDescribeSecretSpans.length).toBe(1);
+        const describeSecretSpan = getDescribeSecretSpans[0];
+
+        if (secretId.startsWith('arn:aws:secretsmanager:')) {
+          expect(
+            describeSecretSpan.attributes[ATTR_AWS_SECRETSMANAGER_SECRET_ARN]
+          ).toBe(secretId);
+        } else {
+          expect(
+            describeSecretSpan.attributes[ATTR_AWS_SECRETSMANAGER_SECRET_ARN]
+          ).toBeUndefined();
+        }
+
+        expect(describeSecretSpan.kind).toBe(SpanKind.CLIENT);
+      });
+    });
+  });
+
+  describe('GetSecretValue', () => {
+    it('secret arn attribute should be populated from the response', async () => {
+      const secretIdArn =
+        'arn:aws:secretsmanager:us-east-1:123456789123:secret:testId123456';
+
+      nock(`https://secretsmanager.${region}.amazonaws.com/`)
+        .post('/')
+        .reply(200, {
+          ARN: secretIdArn,
+          Name: 'testId',
+        });
+
+      await secretsManager
+        .getSecretValue({
+          SecretId: 'testSecret',
+        })
+        .catch((err: any) => {
+          console.log(err);
+        });
+
+      const testSpans: ReadableSpan[] = getTestSpans();
+      const getSecretValueSpans: ReadableSpan[] = testSpans.filter(
+        (s: ReadableSpan) => {
+          return s.name === 'SecretsManager.GetSecretValue';
+        }
+      );
+
+      expect(getSecretValueSpans.length).toBe(1);
+
+      const secretValueSpan = getSecretValueSpans[0];
+      expect(
+        secretValueSpan.attributes[ATTR_AWS_SECRETSMANAGER_SECRET_ARN]
+      ).toBe(secretIdArn);
+      expect(secretValueSpan.kind).toBe(SpanKind.CLIENT);
+    });
+  });
+});