Skip to content

Sigv4 - Add Missing STS Dependency #1101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jul 24, 2025
Merged

Conversation

liustve
Copy link
Contributor

@liustve liustve commented Jun 11, 2025

Issue #, if available:
Current Sigv4 Exporter is missing the required dependency from AWS SDK library to allow STS AssumeRole from the DefaultCredentialsProvider.

For example, this is the error that pops up if the exporter is used in an EKS environment:
WebIdentityTokenCredentialsProvider(): To use web identity tokens, the 'sts' service module must be on the class path.

Leading to the credentials provider to default to the worker node role:

 WARN io.opentelemetry.exporter.internal.http.HttpExporter - Failed to export spans. Server responded with HTTP status code 403. Error message: User: arn:aws:sts::571600841604:assumed-role/eksctl-spring-demo-cluster-nodegro-NodeInstanceRole-qe5bSShjEHDp/i-0e398f24217b99394 is not authorized to perform: xray:PutTraceSegments because no identity-based policy allows the xray:PutTraceSegments action

Description of changes:

Add STS as a dependency for the OtlpAws Exporters in order to allow the exporter to AssumeRole.

Testing
A sample EKS application was deployed with a custom ADOT Java Agent artifact that has the STS dependency added. I see spans appearing in the aws/spans log group:

{
    "resource": {
        "attributes": {
            "telemetry.distro.version": "2.11.0-aws-SNAPSHOT",
            "host.image.id": "ami-0335cf904e4303efa",
            "process.command_args": [
                "/usr/lib/jvm/java-17-amazon-corretto/bin/java",
                "-Xms512m",
                "-Xmx1024m",
                "-Dspring.profiles.active=prod",
                "-javaagent:/app/opentelemetry-javaagent.jar",
                "-jar",
                "app.jar"
            ],
            "process.runtime.version": "17.0.15+6-LTS",
            "os.type": "linux",
            "process.pid": 1,
            "host.type": "t3.medium",
            "cloud.availability_zone": "us-east-1a",
            "telemetry.sdk.name": "opentelemetry",
            "telemetry.sdk.language": "java",
            "process.runtime.name": "OpenJDK Runtime Environment",
            "service.instance.id": "afe04022-e9c0-4c77-b0a1-0d790fc0200e",
            "os.description": "Linux 6.1.134-152.225.amzn2023.x86_64",
            "host.arch": "amd64",
            "host.name": "ip-192-168-23-12.ec2.internal",
            "telemetry.sdk.version": "1.45.0",
            "cloud.platform": "aws_ec2",
            "host.id": "i-0c88a3c68d45dfd96",
            "deployment.environment": "prod",
            "cloud.region": "us-east-1",
            "service.name": "demo-app",
            "telemetry.distro.name": "opentelemetry-java-instrumentation",
            "cloud.provider": "aws",
            "service.version": "0.0.1-SNAPSHOT",
            "cloud.account.id": "571600841604",
            "process.executable.path": "/usr/lib/jvm/java-17-amazon-corretto/bin/java",
            "process.runtime.description": "Amazon.com Inc. OpenJDK 64-Bit Server VM 17.0.15+6-LTS"
        }
    },
    "scope": {
        "name": "io.opentelemetry.tomcat-10.0",
        "version": "2.11.0-adot1-alpha"
    },
    "traceId": "6849fcc297c5ca4699ec920918d750ee",
    "spanId": "36e360cfd4490b85",
    "flags": 257,
    "name": "GET /hello",
    "kind": "SERVER",
    "startTimeUnixNano": 1749679298293950299,
    "endTimeUnixNano": 1749679298295162110,
    "durationNano": 1211811,
    "attributes": {
        "user_agent.original": "kube-probe/1.32+",
        "aws.local.service": "demo-app",
        "telemetry.extended": "true",
        "network.protocol.version": "1.1",
        "network.peer.port": 35512,
        "url.scheme": "http",
        "thread.name": "http-nio-8080-exec-3",
        "aws.local.environment": "prod",
        "server.address": "192.168.21.181",
        "client.address": "192.168.23.12",
        "network.peer.address": "192.168.23.12",
        "aws.local.operation": "GET /hello",
        "http.status_code": 200,
        "aws.span.kind": "LOCAL_ROOT",
        "url.path": "/hello",
        "http.request.method": "GET",
        "http.route": "/hello",
        "server.port": 8080,
        "PlatformType": "AWS::EC2",
        "http.response.status_code": 200,
        "thread.id": 26
    },
    "status": {
        "code": "UNSET"
    }
}

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@liustve liustve requested a review from a team as a code owner June 11, 2025 22:02
@liustve
Copy link
Contributor Author

liustve commented Jul 21, 2025

@liustve
Copy link
Contributor Author

liustve commented Jul 23, 2025

It's safe to include these AWS SDK dependencies in the ADOT Java Agent because we employ Java class shading during the build process. This technique relocates these classes to a different package namespace at runtime, creating a separate classpath that won't conflict with any AWS SDK dependencies that might be present in the main application. This prevents version conflicts and classloader issues that would otherwise occur when the agent and application use different versions of the same libraries.

Unlike other language implementations where lazy-loading is used and dependencies are checked at runtime, Java requires special consideration. In other languages, the SDKs typically include all necessary packages for STS and authentication, and the code checks if the user has the correct dependencies before loading them. For Java, we need to explicitly import AWS SDK components and perform extensive testing to ensure compatibility, as these dependencies are bundled directly
with our agent rather than being conditionally loaded from the user's environment.

@liustve liustve merged commit fd17846 into aws-observability:main Jul 24, 2025
14 of 20 checks passed
@liustve liustve deleted the sigv4-sts branch July 24, 2025 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants