[extension/basicauth] Add AWS Secrets Manager support for client credentials#48380
Closed
lazureykis wants to merge 4 commits into
Closed
[extension/basicauth] Add AWS Secrets Manager support for client credentials#48380lazureykis wants to merge 4 commits into
lazureykis wants to merge 4 commits into
Conversation
…ential rotation Adds native support for sourcing client auth credentials from AWS Secrets Manager. The extension polls the secret at a configurable interval and swaps credentials in place when a rotation is detected — no collector restart required. The secret must be a JSON object. Key names default to "username" and "password" (matching AWS's own RDS/Redshift/DocumentDB rotation templates) and are configurable via username_key and password_key. AWS credentials use the standard SDK default chain (env vars, instance profile, ECS/EKS task role, etc.). On poll failure, the extension logs a warning and retains the last known good credentials. The collector is not interrupted. Closes open-telemetry#48277 Assisted-by: Claude Sonnet 4.6
Assisted-by: Claude Sonnet 4.6
- Replace two separate atomic.Pointer[string] for username/password with a single atomic.Pointer[secretCredentials] so HTTP clients always read a consistent credential pair (fixes torn-read window during rotation) - Capture shutdownCh in local variable before spawning cancel goroutine to avoid race with shutdown() zeroing the field (detected by go test -race) - Add idempotency guard to startWithClient (returns error if already started) - Pass cancellable context into fetch() so in-flight AWS calls respect shutdown - Remove redundant updateGRPCMetadata() call in Start(); onChange handles it - Fix mock.callErr data race in tests by using atomic.Pointer[error] - Replace time.Sleep with assert.Eventually in NoOnChange and PollError tests - Add TestClientAuthSettingsValidate covering all Validate() error branches - Add TestBasicAuth_ClientAWSSecretsManager integration test through extension Assisted-by: Claude Sonnet 4.6
Contributor
Author
|
Closing this in favor of a different approach suggested by @thomasbaldwin in #48277. Instead of adding the AWS SDK dependency directly to basicauthextension, I'm first extracting the shared basic auth logic into |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
client_auth.aws_secrets_manageroption that polls a JSON secret from AWS Secrets Manager and rotates credentials in place without restarting the collectorusername/password/*_fileoptionsResolves #48277
Configuration example
Test plan
-race