Skip to content

Commit

Permalink
Use IAM credential endpoint from IMDS for accurate entity IAM role n…
Browse files Browse the repository at this point in the history 
…ame (#1414)

Co-authored-by: Zhihong Lin <[email protected]>
Co-authored-by: zhihonl <[email protected]>
  • Loading branch information
@nathalapooja @zhihonl
3 people authored Nov 6, 2024
1 parent a19df6f commit bc99755
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 36 deletions.
8 changes: 4 additions & 4 deletions extension/entitystore/extension_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,10 +103,6 @@ func (m *mockMetadataProvider) InstanceID(ctx context.Context) (string, error) {
return "MockInstanceID", nil
}

func (m *mockMetadataProvider) InstanceProfileIAMRole() (string, error) {
return "arn:aws:iam::123456789:instance-profile/TestRole", nil
}

func (m *mockMetadataProvider) InstanceTags(ctx context.Context) (string, error) {
if m.InstanceTagError {
return "", errors.New("an error occurred for instance tag retrieval")
Expand All @@ -118,6 +114,10 @@ func (m *mockMetadataProvider) InstanceTags(ctx context.Context) (string, error)
return tagsString, nil
}

func (m *mockMetadataProvider) ClientIAMRole(ctx context.Context) (string, error) {
return "TestRole", nil
}

func (m *mockMetadataProvider) InstanceTagValue(ctx context.Context, tagKey string) (string, error) {
tag, ok := m.Tags[tagKey]
if !ok {
Expand Down
27 changes: 7 additions & 20 deletions extension/entitystore/serviceprovider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,9 @@ package entitystore

import (
"context"
"fmt"
"strings"
"sync"

"github.com/aws/aws-sdk-go/aws/arn"
"go.uber.org/zap"

configaws "github.com/aws/amazon-cloudwatch-agent/cfg/aws"
Expand All @@ -19,10 +17,9 @@ import (
)

const (
INSTANCE_PROFILE = "instance-profile/"
SERVICE = "service"
APPLICATION = "application"
APP = "app"
SERVICE = "service"
APPLICATION = "application"
APP = "app"

// Matches the default value from OTel
// https://opentelemetry.io/docs/languages/sdk-configuration/general/#otel_service_name
Expand Down Expand Up @@ -231,23 +228,13 @@ func (s *serviceprovider) serviceAttributeFallback() ServiceAttribute {
}

func (s *serviceprovider) scrapeIAMRole() error {
iamRole, err := s.metadataProvider.InstanceProfileIAMRole()
iamRole, err := s.metadataProvider.ClientIAMRole(context.Background())
if err != nil {
return err
}
iamRoleArn, err := arn.Parse(iamRole)
if err != nil {
return err
}
iamRoleResource := iamRoleArn.Resource
if strings.HasPrefix(iamRoleResource, INSTANCE_PROFILE) {
roleName := strings.TrimPrefix(iamRoleResource, INSTANCE_PROFILE)
s.mutex.Lock()
s.iamRole = roleName
s.mutex.Unlock()
} else {
return fmt.Errorf("IAM Role resource does not follow the expected pattern. Should be instance-profile/<role_name>")
}
s.mutex.Lock()
s.iamRole = iamRole
s.mutex.Unlock()
return nil
}
func (s *serviceprovider) scrapeImdsServiceName() error {
Expand Down
12 changes: 4 additions & 8 deletions internal/ec2metadataprovider/ec2metadataprovider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ type MetadataProvider interface {
Get(ctx context.Context) (ec2metadata.EC2InstanceIdentityDocument, error)
Hostname(ctx context.Context) (string, error)
InstanceID(ctx context.Context) (string, error)
InstanceProfileIAMRole() (string, error)
InstanceTags(ctx context.Context) (string, error)
ClientIAMRole(ctx context.Context) (string, error)
InstanceTagValue(ctx context.Context, tagKey string) (string, error)
}

Expand Down Expand Up @@ -61,13 +61,9 @@ func (c *metadataClient) Hostname(ctx context.Context) (string, error) {
})
}

func (c *metadataClient) InstanceProfileIAMRole() (string, error) {
return withMetadataFallbackRetry(context.Background(), c, func(metadataClient *ec2metadata.EC2Metadata) (string, error) {
iamInfo, err := metadataClient.IAMInfo()
if err != nil {
return "", err
}
return iamInfo.InstanceProfileArn, nil
func (c *metadataClient) ClientIAMRole(ctx context.Context) (string, error) {
return withMetadataFallbackRetry(ctx, c, func(metadataClient *ec2metadata.EC2Metadata) (string, error) {
return metadataClient.GetMetadataWithContext(ctx, "iam/security-credentials")
})
}

Expand Down
8 changes: 4 additions & 4 deletions plugins/processors/ec2tagger/ec2tagger_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,14 +148,14 @@ func (m *mockMetadataProvider) InstanceTags(ctx context.Context) (string, error)
return "MockInstanceTag", nil
}

func (m *mockMetadataProvider) InstanceProfileIAMRole() (string, error) {
return "MockIAM", nil
}

func (m *mockMetadataProvider) InstanceTagValue(ctx context.Context, tagKey string) (string, error) {
return "MockInstanceValue", nil
}

func (m *mockMetadataProvider) ClientIAMRole(ctx context.Context) (string, error) {
return "MockIAMRole", nil
}

var mockedInstanceIdentityDoc = &ec2metadata.EC2InstanceIdentityDocument{
InstanceID: "i-01d2417c27a396e44",
Region: "us-east-1",
Expand Down

0 comments on commit bc99755

Please sign in to comment.