Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New component: AWS Secrets Manager Provider #19368

Closed
1 of 2 tasks
driverpt opened this issue Mar 7, 2023 · 21 comments
Closed
1 of 2 tasks

New component: AWS Secrets Manager Provider #19368

driverpt opened this issue Mar 7, 2023 · 21 comments
Labels
Accepted Component New component has been sponsored

Comments

@driverpt
Copy link
Contributor

driverpt commented Mar 7, 2023

The purpose and use-cases of the new component

Currently OTEL Collector in AWS is used in ECS, since ECS injects secrets directly from AWS Secrets Manager to Environment Variables. This forces us to attach AWS Lambdas in VPC's to be able to route all Telemetry to ECS Container running OTEL Collector.

For better resource usage, we would like to use OTEL Collector as Lambda Layer and inject the secrets, so that there's no need to attach to a specific VPC and potentially causing IP Exhaustion if you have a lot of invocations.

Example configuration for the component

receivers:
  otlp:
    protocols:
      grpc:
      http:

processors:
  batch:
  memory_limiter:

exporters:
  otlp/provider1:
    endpoint: https://provider1.domain.com:12345
    headers:
      api-key: ${secretsmanager:<SecretArnOrName>}
    compression: gzip

service:
  pipelines:
    traces:
      receivers: [otlp]
      processors: [memory_limiter, batch]
      exporters: [otlp/provider1]
    metrics:
      receivers: [otlp]
      processors: [memory_limiter, batch]
      exporters: [otlp/provider1]

Telemetry data types supported

N/A

Is this a vendor-specific component?

  • This is a vendor-specific component
  • If this is a vendor-specific component, I am proposing to contribute this as a representative of the vendor.

Sponsor (optional)

No response

Additional context

No response

@driverpt driverpt added the needs triage New item requiring triage label Mar 7, 2023
@driverpt
Copy link
Contributor Author

driverpt commented Mar 7, 2023

Upstream Link: aws-observability/aws-otel-collector#1894

@atoulme atoulme added Sponsor Needed New component seeking sponsor and removed needs triage New item requiring triage labels Mar 7, 2023
@driverpt
Copy link
Contributor Author

driverpt commented Mar 9, 2023

@mhausenblas , do you want to Sponsor?

@mhausenblas
Copy link
Member

@driverpt while I'm supportive, I technically can't sponsor it since I ain't no maintainer ;)

CC: @Aneurysm9

@rapphil
Copy link
Contributor

rapphil commented Mar 10, 2023

For better resource usage, we would like to use OTEL Collector as Lambda Layer and inject the secrets, so that there's no need to attach to a specific VPC and potentially causing IP Exhaustion if you have a lot of invocations.

I'm not following this part. To inject secrets into environment variables in lambda, do you need to attach it to a VPC?

Have you considered this alternative? https://aws.amazon.com/blogs/compute/creating-aws-lambda-environmental-variables-from-aws-secrets-manager/

@driverpt
Copy link
Contributor Author

Hello @rapphil , haven't tried that yet. Will make sure I give it a shot on Monday. But from a quick read through out the article, it seems that it only works for provided.al2 Runtimes.

Will give more feedback once I try it.

@rapphil
Copy link
Contributor

rapphil commented Mar 13, 2023

Hello @driverpt , can you clarify the statement about IP Exhaustion if you have a lot of invocations? I'm still interested in that specific issue in the context of secrets manager.

@driverpt
Copy link
Contributor Author

Hello @rapphil , we require SecretsManager to be able to Inject the External Observability Provider Key in OTEL Collector.

Currently on ECS we can use the Secrets part to inject it from SecretsManager.

This would allow us to have VPC-less Lambdas and be able to use OTEL Collector as a Layer instead of the need to attach Lambdas to VPC + OTEL Collector on ECS.

If we have a lot of concurrent Lambda Invocations we will exhaust the DHCP IP Pool

@Aneurysm9
Copy link
Member

I'm happy to sponsor this component, but I think I'd like it to be somewhat more general. Because each config provider needs a URI-like scheme identifier, and because most AWS resources can be referenced with URN-like ARNs, I'm thinking that an arn: config provider would be good to have. We could support Secrets Manager ARNs first and report an error for any other type. This would help avoid any naming concerns with secretsmanager: vs. awssecretsmanager: or any other scheme name as well as providing a clear path forward for expanding support to SSM Parameter Store or other AWS resources that could be used to store configuration.

@driverpt
Copy link
Contributor Author

driverpt commented Mar 13, 2023

@Aneurysm9 , I wanted to create the PR with ${aws:secretsmanager}, but I was unsure about that convention. IMHO, given that we may have multiple providers, I think a "Namespace" should be reserved for the Cloud Provider, e.g.:

${gcp:secretsmanager:<value>}
${aws:secretsmanager:<arn or name>}
${digitalocean:secretsmanager:<value>}

WDYT ?

@Aneurysm9
Copy link
Member

I don't think that's a problem we need to solve at this point for adding AWS Secrets Manager support as we can use the ARN. Given that they have the form arn:aws:secretsmanager:<Region>:<AccountId>:secret:SecretName-6RandomCharacters we can extract all the information needed from the ARN.

@driverpt
Copy link
Contributor Author

I don't think that's a problem we need to solve at this point for adding AWS Secrets Manager support as we can use the ARN. Given that they have the form arn:aws:secretsmanager:<Region>:<AccountId>:secret:SecretName-6RandomCharacters we can extract all the information needed from the ARN.

Partition is missing, arn:<Partition>:secretsmanager:<Region>:<AccountId>:secret:SecretName-6RandomCharacters

What do you suggest that I change in the PR I've created?

@github-actions
Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

@github-actions github-actions bot added the Stale label May 15, 2023
@driverpt
Copy link
Contributor Author

No stale

@github-actions github-actions bot removed the Stale label May 26, 2023
@github-actions
Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

@github-actions github-actions bot added the Stale label Jul 26, 2023
@driverpt
Copy link
Contributor Author

Ping

@atoulme
Copy link
Contributor

atoulme commented Oct 9, 2023

I will sponsor this new component.

@atoulme atoulme added Accepted Component New component has been sponsored and removed Sponsor Needed New component seeking sponsor labels Oct 9, 2023
Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

@github-actions github-actions bot added the Stale label Dec 11, 2023
@driverpt
Copy link
Contributor Author

Any ETA on this one?

@github-actions github-actions bot removed the Stale label Dec 12, 2023
@atoulme
Copy link
Contributor

atoulme commented Dec 14, 2023

We need help to resolve the conflict on #19341 and we can then move forward.

Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

@github-actions github-actions bot added the Stale label Feb 12, 2024
dmitryax pushed a commit that referenced this issue Feb 16, 2024
== This is continuation of
#19341
==

**Description:** 
Adding AWS SecretsManager Support. To be able to inject secrets via AWS
Lambda Layer

**Link to tracking Issue:**
[19368](#19368)

**Testing:** Test fetching via SecretsManager emulating AWS API

**Documentation:** README.md

---------

Co-authored-by: Luís Duarte <[email protected]>
XinRanZhAWS pushed a commit to XinRanZhAWS/opentelemetry-collector-contrib that referenced this issue Mar 13, 2024
== This is continuation of
open-telemetry#19341
==

**Description:** 
Adding AWS SecretsManager Support. To be able to inject secrets via AWS
Lambda Layer

**Link to tracking Issue:**
[19368](open-telemetry#19368)

**Testing:** Test fetching via SecretsManager emulating AWS API

**Documentation:** README.md

---------

Co-authored-by: Luís Duarte <[email protected]>
@atoulme atoulme removed the Stale label Mar 30, 2024
@atoulme
Copy link
Contributor

atoulme commented Mar 30, 2024

Completed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Accepted Component New component has been sponsored
Projects
None yet
Development

No branches or pull requests

5 participants