Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[extensions/sigv4auth] sigv4auth requires AWS credentials to run 'validate' subcommand #32214

Open
tredman opened this issue Apr 7, 2024 · 6 comments
Open

[extensions/sigv4auth] sigv4auth requires AWS credentials to run 'validate' subcommand #32214

tredman opened this issue Apr 7, 2024 · 6 comments
Labels
extension/sigv4auth good first issue Good for newcomers Stale

Comments

@tredman
Copy link

tredman commented Apr 7, 2024

Component(s)

extension/sigv4auth

Describe the issue you're reporting

Hello! I'm trying to invoke validate from a build pipeline so that we do basic validation of the OTEL configs we're pushing out to our users. Recently I added an exporter for Amazon Managed Prometheus, which requires the sigv4auth extension in order to authenticate.

      sigv4auth/amp:
        service: 'aps'
        region: 'us-east-1'

After doing this, validate fails to run with the following error:

Error: extensions::sigv4auth/amp: could not retrieve credential provider: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: host is down
2024/04/07 08:37:16 collector server run finished with error: extensions::sigv4auth/amp: could not retrieve credential provider: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: host is down

Initially I resolved this by authenticating to one of my AWS accounts, but through experimentation I found I can fix this by supplying arbitrary/invalid values for the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. This seems like something that the validation command should just handle gracefully, perhaps by just initializing the AWS SDK with some kind of mock config.

otelcol-contrib version 0.97.0
@tredman tredman added the needs triage New item requiring triage label Apr 7, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 7, 2024

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

This was referenced Apr 9, 2024
Closed
Closed
@tredman tredman mentioned this issue Apr 25, 2024
Closed
@bryan-aguilar
Copy link
Contributor

I believe this is because we try to get the provider during config validation. I'm not sure if credentials validation should be part of validating the configuration. It may make more sense to do this when the extension is created and then return an error from newSigV4Extension. I believe this change would cause the validate to pass when no credentials exist, but fail on collector startup. This would preserve existing behavior.

If someone decides to take this on I think another improvement to make would be removing the private credsProvider field out of the config struct and moving into the sigv4auth struct.

@bryan-aguilar bryan-aguilar added good first issue Good for newcomers and removed needs triage New item requiring triage labels May 1, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 1, 2024

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label Jul 1, 2024
@mvillafuertem
Copy link

Hi @tredman

When I have to use osis and when I have to use aps? I haven't found any documentation about it...

      sigv4auth:
        service: 'aps'
        region: 'us-east-1'
      sigv4auth:
        service: 'osis'
        region: 'us-east-1'

@github-actions github-actions bot removed the Stale label Jul 17, 2024
@tredman
Copy link
Author

tredman commented Jul 19, 2024

Hi @tredman

When I have to use osis and when I have to use aps? I haven't found any documentation about it...

      sigv4auth:
        service: 'aps'
        region: 'us-east-1'
      sigv4auth:
        service: 'osis'
        region: 'us-east-1'

This seems unrelated to my issue but osis looks like OpenSearch Ingestion. aps is for Amazon Managed Prometheus

@github-actions GitHub Actions
Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
extension/sigv4auth good first issue Good for newcomers Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tredman @mvillafuertem @bryan-aguilar