-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
misc: credentials business metrics #1442
base: credentials-chain-order
Are you sure you want to change the base?
Conversation
A new generated diff is ready to view. |
A new generated diff is ready to view. |
A new generated diff is ready to view. |
@@ -7,7 +7,8 @@ | |||
"secret_access_key": "secretkeycorrect", | |||
"session_token": "tokencorrect", | |||
"expiry": 1632249686, | |||
"accountId": "130633740322" | |||
"accountId": "130633740322", | |||
"business_metrics": ["p","0", "i"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is just meant to resolve credentials from IMDS, why are there three credentials provider metrics emitted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test actually uses this config file. So p
is for the named provider, 0
is for IMDS, and i
is for the assume role call with the credentials resolved from IMDS. I think it might be a good idea to change the docs for this test because I made the same assumption when I first added the business metrics.
/** | ||
* The source used to create the [RoleArn] | ||
*/ | ||
val roleArnSource: RoleArnSource? = null, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
naming: source
makes this more readable, roleArn.source
vs. roleArn.roleArnSource
@@ -318,4 +326,286 @@ class ProfileCredentialsProviderTest { | |||
val expected = credentials("AKID-Default", "Default-Secret", accountId = "12345") | |||
assertEquals(expected, actual) | |||
} | |||
|
|||
@Test | |||
fun staticCredentialsBusinessMetrics() = runTest { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
naming: static -> profile
override val name: String = "credentialsOverrideBusinessMetricsMiddleware" | ||
override fun render(ctx: ProtocolGenerator.GenerationContext, op: OperationShape, writer: KotlinWriter) { | ||
writer.withBlock( | ||
"if (config.credentialsProvider.#T != #S ) {", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Compare classes directly rather than their simple names, if (config.credentialsProvider !is ManagedCredentialsProvider)
"ManagedCredentialsProvider", | ||
) { | ||
write( | ||
"op.context.#T(#T.Credentials.CREDENTIALS_CODE)", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This middleware will emit CREDENTIALS_CODE
any time a custom credentials provider is configured and used. I thought that this metric referred to using the StaticCredentialsProvider
.
If someone configures a custom ProfileCredentialsProvider
, should we really not be emitting the CREDENTIALS_PROFILE
metric?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CREDENTIALS_CODE
is meant for when there's any code to setup credentials, so configuring a custom / non-default credentials provider, the StaticCredentialsProvider
, session objects for boto, etc. We don't have a business metric for StaticCredentialsProvider
but it falls under CREDENTIALS_CODE
. We could get more specific in the future though, we would just have to discuss adding a metric for something like the StaticCredentialsProvider
that all SDKs share.
CREDENTIALS_PROFILE
is confusing, it's meant for static credentials in a profile. It was called something else but I think the name changed during review. Same as StaticCredentialsProvider
, we don't have a metric for ProfileCredentialsProvider
. The focus for the initial metrics was more on the default credentials provider chain related metrics not all credentials providers but we can go back and add more metrics soon because I think they would be very useful.
We still capture most of what's going on, e.g. If a user sets the ProfileCredentialsProvider
we would see that they set a non-default credentials provider, and then we could see where in the profile the credentials are resolved from because every profile option is captured in the metrics.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CREDENTIALS_CODE
is now mapped to StaticCredentialsProvider
. It's not in the provider itself because it's an implementation detail for other providers.
/** | ||
* Indicates if the class was created using [fromEnvironment] | ||
*/ | ||
private var createdFromEnvironment: Boolean = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand why you needed to add this but it seems a little hacky.
We only call StsWebIdentityCredentialsProvider.fromEnvironment
in one spot, the default chain, can the metrics emission for that be lifted to that point and then we can remove this createdFromEnvironment
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I originally had it in the default credentials provider chain but it wasn't working correctly so I moved it here. The default credentials provider chain doesn't have attributes so I was creating some and then merging them with the ones from the resolve call, but something about that wasn't working correctly. I can try again for a bit and see if I can make it work.
…der is configured by user
…f StsWebIdentityCredentialsProvider
Quality Gate failedFailed conditions |
A new generated diff is ready to view. |
Issue #
Description of changes
-Emitting credentials related business metrics
-Tests for credentials related business metrics
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.