sigv4authextension

package module
v0.126.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2025 License: Apache-2.0 Imports: 19 Imported by: 12

README

Authenticator - Sigv4

Status
Stability beta
Distributions contrib
Issues Open issues Closed issues
Code coverage codecov
Code Owners @Aneurysm9, @erichsueh3

This extension provides Sigv4 authentication for making requests to AWS services. You can read about the Sigv4 process.

Configuration

The configuration fields are as follows:

  • assume_role: Optional. Specifies the configuration needed to assume a role
    • arn: The Amazon Resource Name (ARN) of a role to assume
    • session_name: Optional. The name of a role session
    • web_identity_token_file: The path to the file containing the JWT token to be exchanged
    • sts_region: The AWS region where STS is used to assumed the configured role
      • Note that if a role is intended to be assumed, and sts_region is not provided, then sts_region will default to the value for region if region is provided
  • region: Optional. The AWS region for the service you are exporting to for AWS Sigv4. This is differentiated from sts_region to handle cross region authentication
    • Note that an attempt will be made to obtain a valid region from the endpoint of the service you are exporting to
    • List of AWS regions
  • service: Optional. The AWS service for AWS Sigv4
    • Note for supported services an attempt will be made to obtain a valid service from the endpoint of the service you are exporting to. Supported services include - workspaces, es, logs and traces.

Assume Role

Example Configuration:
extensions:
  sigv4auth:
    assume_role:
      arn: "arn:aws:iam::123456789012:role/aws-service-role/access"
      sts_region: "us-east-1"

receivers:
  hostmetrics:
    scrapers:
      memory:

exporters:
  prometheusremotewrite:
    endpoint: "https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-XXX/api/v1/remote_write"
    auth:
      authenticator: sigv4auth

service:
  extensions: [sigv4auth]
  pipelines:
    metrics:
      receivers: [hostmetrics]
      processors: []
      exporters: [prometheusremotewrite]

Notes

  • The collector must have valid AWS credentials as used by the AWS SDK for Go

Assume Role with Web Identity

Configuring web_identity_token_file will cause the sigv4auth extension to exchange the token in the specified web_identity_token_file for AWS credentials. This is especially useful for authenticating from on-prem systems or other cloud providers via OIDC to publish telemetry to an AWS destination (e.g. Amazon Managed Prometheus).

Prerequisites:

To utilize Assume Role with Web Identity with the sigv4 extension, an AWS IAM role must be setup to be able to be assumed via OIDC. Once established, a configuration like below can be used to assume that role and interact with AWS services. In kubernetes, the service account token is typically stored in /var/run/secrets/kubernetes.io/serviceaccount/token. Before implementing, ensure that the audience is included in the AWS OIDC provider, and the claims match any conditions in the IAM role trust policy.

Example Configuration:
extensions:
  sigv4auth:
    assume_role:
      arn: "arn:aws:iam::123456789012:role/aws-service-role/access"
      web_identity_token_file: "/var/run/secrets/kubernetes.io/serviceaccount/token"

receivers:
  hostmetrics:
    scrapers:
      memory:

exporters:
  prometheusremotewrite:
    endpoint: "https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-XXX/api/v1/remote_write"
    auth:
      authenticator: sigv4auth

service:
  extensions: [sigv4auth]
  pipelines:
    metrics:
      receivers: [hostmetrics]
      processors: []
      exporters: [prometheusremotewrite]

Documentation

Overview

Package sigv4authextension implements the `extensionauth.HTTPClient` interface. This extension provides the Sigv4 process of adding authentication information to AWS API requests sent by HTTP. As such, the extension can be used for HTTP based exporters that export to AWS services.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewFactory 

func NewFactory() extension.Factory

NewFactory creates a factory for the Sigv4 Authenticator extension.

Types

type AssumeRole 

type AssumeRole struct {
	ARN                  string `mapstructure:"arn,omitempty"`
	SessionName          string `mapstructure:"session_name,omitempty"`
	STSRegion            string `mapstructure:"sts_region,omitempty"`
	WebIdentityTokenFile string `mapstructure:"web_identity_token_file,omitempty"`
}

AssumeRole holds the configuration needed to assume a role

type Config 

type Config struct {
	Region     string     `mapstructure:"region,omitempty"`
	Service    string     `mapstructure:"service,omitempty"`
	AssumeRole AssumeRole `mapstructure:"assume_role"`
	// contains filtered or unexported fields
}

Config stores the configuration for the Sigv4 Authenticator

func (*Config) Validate 

func (cfg *Config) Validate() error

Validate checks that the configuration is valid. We aim to catch most errors here to ensure that we fail early and to avoid revalidating static data.

Source Files

View all Source files

Directories

Path Synopsis
internal
metadata

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.