github.com/dev7a/asmauthextension

AWS Secrets Manager Authenticator Extension (ASMAuth)

The AWS Secrets Manager authenticator extension enables authentication for HTTP requests using credentials stored in AWS Secrets Manager. This extension adds headers to outgoing HTTP requests based on secrets retrieved from AWS Secrets Manager.

Configuration

The following configuration options are available:

• region (optional): The AWS region where the secret is stored. If not specified, the region from the default AWS configuration chain will be used.
• secret_name (required): The name of the secret in AWS Secrets Manager.
• assume_role (optional): Configuration for assuming an IAM role.
  • arn (optional): The Amazon Resource Name (ARN) of the role to assume.
  • sts_region (optional): The AWS region where the STS endpoint will be used. If not specified, the region from the default AWS configuration chain will be used.
• fallback_headers (optional): Headers to use if the secret cannot be retrieved.
• refresh_interval (optional): The interval at which the secret will be refreshed. Default: 1 minute.

Example Configuration

extensions:
  asmauth:
    region: us-west-2
    secret_name: my-api-headers
    refresh_interval: 5m
    fallback_headers:
      User-Agent: otel-collector
    assume_role:
      arn: arn:aws:iam::123456789012:role/my-role
      sts_region: us-east-1

service:
  extensions: [asmauth]
  pipelines:
    traces:
      receivers: [otlp]
      processors: []
      exporters: [otlphttp/with_auth]

exporters:
  otlphttp/with_auth:
    endpoint: https://api.example.com/v1/traces
    auth:
      authenticator: asmauth

Secret Format

The secret in AWS Secrets Manager must be a JSON object with string values. For example:

{
  "X-API-Key": "your-api-key",
  "Authorization": "Bearer your-token",
  "Custom-Header": "custom-value"
}

AWS Authentication

This extension uses the default AWS SDK credentials chain. It can authenticate using:

• Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
• Shared credentials file (~/.aws/credentials)
• EC2 Instance Profile or ECS Task Role
• Other methods supported by the AWS SDK

You can also use the assume_role configuration to assume an IAM role with different permissions.

Example Use Case

This extension is useful when:

• You need to authenticate HTTP exporters with API keys or tokens
• You want to centrally manage your authentication credentials in AWS Secrets Manager
• You need to securely rotate credentials without restarting the collector

Auto-Refresh Behavior

The extension automatically refreshes the credentials from AWS Secrets Manager based on the configured refresh_interval. If the extension fails to retrieve the secret during a refresh, it will:

• Log a warning
• Continue using the previously retrieved credentials
• If no credentials were previously retrieved, use the fallback headers if provided

Development

Prerequisites

• Go 1.24 or later
• Git

Setup and Testing

• Clone the repository

  git clone https://github.com/dev7a/asmauthextension.git
  cd asmauthextension
  

• Install dependencies

  go mod download
  go get go.opentelemetry.io/collector/cmd/mdatagen
  go get github.com/dev7a/asmauthextension
  go get -t github.com/dev7a/asmauthextension/...
  

• Generate metadata files

  go run go.opentelemetry.io/collector/cmd/mdatagen ./metadata.yaml
  

  This will generate several files:

  • documentation.md
  • generated_component_test.go
  • generated_package_test.go
  • internal/metadata/* files

• Build the extension

  go build ./...
  

• Run tests

  go test ./...
  

Alternatively, you can use the provided Makefile:

# Download dependencies
make deps

# Generate metadata files
make generate

# Build the extension
make build

# Run tests
make test