New component: Sigv4 Authenticator Extension

[erichsueh3]

The purpose and use-cases of the new component

This extension provides the Sigv4 process of adding authentication information to AWS API requests to HTTP based exporters for AWS services. This extension implements the configauth.ClientAuthenticator interface. For more information on the Sigv4 process, refer here.

For example, using the Sigv4 authenticator with the Prometheus Remote-Write (PRW) Exporter would allow the OpenTelemetry Collector to send metrics to Amazon Managed Service for Prometheus (AMP). As such, deprecation of the AWS PRW Exporter will follow the addition of the Sigv4 authenticator, and will be eventually removed entirely.

Example configuration for the component

The configuration fields are as follows:

• region: Required. The AWS region for AWS Sigv4
• service: Required. The AWS service for AWS Sigv4
• role_arn: Optional. The Amazon Resource Name (ARN) of a role to assume
• sts_endpoint: Optional. The endpoint for the role_arn

Example:

extensions:
  sigv4auth:
    region: "us-west-2" # replace with your own region
    service: "aps" # replace with desired service
    role_arn: "arn:aws:iam::123456789012:role/aws-service-role/access"
    sts_endpoint: "regional" # accepted values are "legacy" or "regional"

receivers:
  hostmetrics:
    scrapers:
      memory:

exporters:
  prometheusremotewrite/withauth:
    endpoint: "https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-XXX/api/v1/remote_write"
    auth:
      authenticator: sigv4auth

service:
  extensions: [sigv4auth]
  pipelines:
    metrics:
      receivers: [hostmetrics]
      processors: []
      exporters: [prometheusremotewrite/withauth]

Telemetry data types supported

Any telemetry data types that are exported via HTTP request to an AWS service.

Sponsor

@Aneurysm9 @alolita

[steven-aerts]

Hi @erichsueh3,

nice extension, would it also be possible to use this extension to use the elasticsearch exporter with AWS elastic/opensearch?

So we can specify something like this:

extensions:
  sigv4auth:
    # Guess default will fallback on default creds it can find.

receivers:
  otlp:

exporters:
  elasticsearch:
    endpoints:
    - "https://${AWS_OPEN_SEARCH_ENDPOINT}"
    auth:
      authenticator: sigv4auth

service:
  extensions: [sigv4auth]
  pipelines:
    logging:
      receivers: [otlp]
      processors: []
      exporters: [elasticsearch]

Or is this too far fetched?

Thanks

[Aneurysm9]

would it also be possible to use this extension to use the elasticsearch exporter with AWS elastic/opensearch?

Yes, enabling such additional uses is the goal of creating this extension. I don't know whether the elasticsearch extension currently can make use of the client authenticator extensions, but if not it should be possible to update it to do so at which point it could use this authenticator.

[erichsueh3]

Design document for those interested:

https://docs.google.com/document/d/1GCT3miT8w00rOrIORgR-Etw2rrr3z5hwdqEusM8vmP0/edit?usp=sharing

[eduaquiles]

Hey @erichsueh3 nice addition!

I was trying to understand why the sts_endpoint was dropped between the proposal and the actual implementation but couldn't figure it out. Could you shed some light here?

We believe we are facing an issue where this would solve our problem!