From bc9975519dcc15ada010f882cc3b17a4efca2a68 Mon Sep 17 00:00:00 2001 From: POOJA REDDY NATHALA Date: Wed, 6 Nov 2024 16:22:06 -0500 Subject: [PATCH 1/3] Use IAM credential endpoint from IMDS for accurate entity IAM role name (#1414) Co-authored-by: Zhihong Lin Co-authored-by: zhihonl <61301537+zhihonl@users.noreply.github.com> --- extension/entitystore/extension_test.go | 8 +++--- extension/entitystore/serviceprovider.go | 27 +++++-------------- .../ec2metadataprovider.go | 12 +++------ .../processors/ec2tagger/ec2tagger_test.go | 8 +++--- 4 files changed, 19 insertions(+), 36 deletions(-) diff --git a/extension/entitystore/extension_test.go b/extension/entitystore/extension_test.go index 988df7dd54..5662cf1d88 100644 --- a/extension/entitystore/extension_test.go +++ b/extension/entitystore/extension_test.go @@ -103,10 +103,6 @@ func (m *mockMetadataProvider) InstanceID(ctx context.Context) (string, error) { return "MockInstanceID", nil } -func (m *mockMetadataProvider) InstanceProfileIAMRole() (string, error) { - return "arn:aws:iam::123456789:instance-profile/TestRole", nil -} - func (m *mockMetadataProvider) InstanceTags(ctx context.Context) (string, error) { if m.InstanceTagError { return "", errors.New("an error occurred for instance tag retrieval") @@ -118,6 +114,10 @@ func (m *mockMetadataProvider) InstanceTags(ctx context.Context) (string, error) return tagsString, nil } +func (m *mockMetadataProvider) ClientIAMRole(ctx context.Context) (string, error) { + return "TestRole", nil +} + func (m *mockMetadataProvider) InstanceTagValue(ctx context.Context, tagKey string) (string, error) { tag, ok := m.Tags[tagKey] if !ok { diff --git a/extension/entitystore/serviceprovider.go b/extension/entitystore/serviceprovider.go index 157dbfff2f..c65a0daf62 100644 --- a/extension/entitystore/serviceprovider.go +++ b/extension/entitystore/serviceprovider.go @@ -5,11 +5,9 @@ package entitystore import ( "context" - "fmt" "strings" "sync" - "github.com/aws/aws-sdk-go/aws/arn" "go.uber.org/zap" configaws "github.com/aws/amazon-cloudwatch-agent/cfg/aws" @@ -19,10 +17,9 @@ import ( ) const ( - INSTANCE_PROFILE = "instance-profile/" - SERVICE = "service" - APPLICATION = "application" - APP = "app" + SERVICE = "service" + APPLICATION = "application" + APP = "app" // Matches the default value from OTel // https://opentelemetry.io/docs/languages/sdk-configuration/general/#otel_service_name @@ -231,23 +228,13 @@ func (s *serviceprovider) serviceAttributeFallback() ServiceAttribute { } func (s *serviceprovider) scrapeIAMRole() error { - iamRole, err := s.metadataProvider.InstanceProfileIAMRole() + iamRole, err := s.metadataProvider.ClientIAMRole(context.Background()) if err != nil { return err } - iamRoleArn, err := arn.Parse(iamRole) - if err != nil { - return err - } - iamRoleResource := iamRoleArn.Resource - if strings.HasPrefix(iamRoleResource, INSTANCE_PROFILE) { - roleName := strings.TrimPrefix(iamRoleResource, INSTANCE_PROFILE) - s.mutex.Lock() - s.iamRole = roleName - s.mutex.Unlock() - } else { - return fmt.Errorf("IAM Role resource does not follow the expected pattern. Should be instance-profile/") - } + s.mutex.Lock() + s.iamRole = iamRole + s.mutex.Unlock() return nil } func (s *serviceprovider) scrapeImdsServiceName() error { diff --git a/internal/ec2metadataprovider/ec2metadataprovider.go b/internal/ec2metadataprovider/ec2metadataprovider.go index 48203aef1f..23ece5ad46 100644 --- a/internal/ec2metadataprovider/ec2metadataprovider.go +++ b/internal/ec2metadataprovider/ec2metadataprovider.go @@ -20,8 +20,8 @@ type MetadataProvider interface { Get(ctx context.Context) (ec2metadata.EC2InstanceIdentityDocument, error) Hostname(ctx context.Context) (string, error) InstanceID(ctx context.Context) (string, error) - InstanceProfileIAMRole() (string, error) InstanceTags(ctx context.Context) (string, error) + ClientIAMRole(ctx context.Context) (string, error) InstanceTagValue(ctx context.Context, tagKey string) (string, error) } @@ -61,13 +61,9 @@ func (c *metadataClient) Hostname(ctx context.Context) (string, error) { }) } -func (c *metadataClient) InstanceProfileIAMRole() (string, error) { - return withMetadataFallbackRetry(context.Background(), c, func(metadataClient *ec2metadata.EC2Metadata) (string, error) { - iamInfo, err := metadataClient.IAMInfo() - if err != nil { - return "", err - } - return iamInfo.InstanceProfileArn, nil +func (c *metadataClient) ClientIAMRole(ctx context.Context) (string, error) { + return withMetadataFallbackRetry(ctx, c, func(metadataClient *ec2metadata.EC2Metadata) (string, error) { + return metadataClient.GetMetadataWithContext(ctx, "iam/security-credentials") }) } diff --git a/plugins/processors/ec2tagger/ec2tagger_test.go b/plugins/processors/ec2tagger/ec2tagger_test.go index 25e419b20c..f550a75ebc 100644 --- a/plugins/processors/ec2tagger/ec2tagger_test.go +++ b/plugins/processors/ec2tagger/ec2tagger_test.go @@ -148,14 +148,14 @@ func (m *mockMetadataProvider) InstanceTags(ctx context.Context) (string, error) return "MockInstanceTag", nil } -func (m *mockMetadataProvider) InstanceProfileIAMRole() (string, error) { - return "MockIAM", nil -} - func (m *mockMetadataProvider) InstanceTagValue(ctx context.Context, tagKey string) (string, error) { return "MockInstanceValue", nil } +func (m *mockMetadataProvider) ClientIAMRole(ctx context.Context) (string, error) { + return "MockIAMRole", nil +} + var mockedInstanceIdentityDoc = &ec2metadata.EC2InstanceIdentityDocument{ InstanceID: "i-01d2417c27a396e44", Region: "us-east-1", From 8ac5454dd18dc136bfa0238a394abf12bf4649d5 Mon Sep 17 00:00:00 2001 From: zhihonl <61301537+zhihonl@users.noreply.github.com> Date: Wed, 6 Nov 2024 18:55:34 -0500 Subject: [PATCH 2/3] Update RELEASE_NOTES 1.300049.1 (#1415) --- RELEASE_NOTES | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 87502b8190..ed001459a0 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,14 @@ +======================================================================== +Amazon CloudWatch Agent 1.300049.1 (2024-11-06) +======================================================================== +Enhancements: +* [Logs] Attach Account ID to entity for cross-account checks + +Bug Fixes: +* [Logs] Fix log stream name placeholder resolution for EMF logs +* [Logs] Fix race condition in service provider component of entitystore extension +* [Metrics/Logs] Use IAM credential endpoint from IMDS for accurate entity IAM role name + ======================================================================== Amazon CloudWatch Agent 1.300049.0 (2024-10-30) ======================================================================== From 896a6b60258cf448fb5ffa57610972e1a4c82826 Mon Sep 17 00:00:00 2001 From: Ping Xiang <64551395+pxaws@users.noreply.github.com> Date: Fri, 8 Nov 2024 10:41:22 -0800 Subject: [PATCH 3/3] add application signals node.js e2e tests (#1407) Co-authored-by: Lisa Guo --- .../application-signals-e2e-test.yml | 44 ++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/.github/workflows/application-signals-e2e-test.yml b/.github/workflows/application-signals-e2e-test.yml index 6799b02744..196ae10a91 100644 --- a/.github/workflows/application-signals-e2e-test.yml +++ b/.github/workflows/application-signals-e2e-test.yml @@ -137,4 +137,46 @@ jobs: secrets: inherit with: aws-region: us-east-1 - caller-workflow-name: 'main-build' \ No newline at end of file + caller-workflow-name: 'main-build' + + node-eks-e2e-test: + # Because we share the same eks cluster for different languages, we want to run the tests sequentially to avoid interference + needs: [ CheckBuildTestArtifacts, python-eks-e2e-test ] + uses: aws-observability/aws-application-signals-test-framework/.github/workflows/node-eks-test.yml@main + secrets: inherit + with: + aws-region: us-east-1 + test-cluster-name: 'e2e-cw-agent-test' + caller-workflow-name: 'main-build' + + node-ec2-default-e2e-test: + needs: [ CheckBuildTestArtifacts ] + uses: aws-observability/aws-application-signals-test-framework/.github/workflows/node-ec2-default-test.yml@main + secrets: inherit + with: + aws-region: us-east-1 + caller-workflow-name: 'main-build' + + node-ec2-asg-e2e-test: + needs: [ CheckBuildTestArtifacts ] + uses: aws-observability/aws-application-signals-test-framework/.github/workflows/node-ec2-asg-test.yml@main + secrets: inherit + with: + aws-region: us-east-1 + caller-workflow-name: 'main-build' + + node-k8s-e2e-test: + needs: [ CheckBuildTestArtifacts ] + uses: aws-observability/aws-application-signals-test-framework/.github/workflows/node-k8s-test.yml@main + secrets: inherit + with: + aws-region: us-east-1 + caller-workflow-name: 'main-build' + + node-ecs-e2e-test: + needs: [ CheckBuildTestArtifacts ] + uses: aws-observability/aws-application-signals-test-framework/.github/workflows/node-ecs-test.yml@main + secrets: inherit + with: + aws-region: us-east-1 + caller-workflow-name: 'main-build'