chore: Separate AwsCredentials from AwsConfig (#716)

lym953 · web-flow · commit f9705b543d19 · 2025-07-02T17:11:15.000-04:00
# Problem Right now `AwsConfig` has a lot of fields, including the ones related to credential: ``` pub aws_access_key_id: String, pub aws_secret_access_key: String, pub aws_session_token: String, pub aws_container_credentials_full_uri: String, pub aws_container_authorization_token: String, ``` The next PR #717 wants to lazily load API key and the credentials. To do that, for the resolver function `resolve_secrets()`, I need to change the param `aws_config` from `&AwsConfig` to `Arc<RwLock<AwsConfig>>`. Because `aws_config` is passed to many places, this change involves updating lots of functions, which is formidable. # This PR Separates these credential-related fields out from `AwsConfig` and creates a new struct `AwsCredentials` Thus, the next PR will only need to change the param `aws_credentials` from `&AwsCredentials` to `Arc<RwLock<AwsCredentials>>`. Because `aws_credentials` is not used in lots of places, the next PR becomes easier. https://datadoghq.atlassian.net/issues/SVLS-6996 https://datadoghq.atlassian.net/issues/SVLS-6998
diff --git a/bottlecap/src/bin/bottlecap/main.rs b/bottlecap/src/bin/bottlecap/main.rs
@@ -13,7 +13,7 @@ use bottlecap::{
     base_url,
     config::{
         self,
-        aws::{build_lambda_function_arn, AwsConfig},
+        aws::{build_lambda_function_arn, AwsConfig, AwsCredentials},
         Config,
     },
     event_bus::bus::EventBus,
@@ -302,7 +302,7 @@ async fn register(client: &Client) -> Result<RegisterResponse> {
 #[tokio::main]
 async fn main() -> Result<()> {
     let start_time = Instant::now();
-    let (mut aws_config, config) = load_configs(start_time);
+    let (aws_config, mut aws_credentials, config) = load_configs(start_time);
 
     enable_logging_subsystem(&config);
     log_fips_status(&aws_config.region);
@@ -329,7 +329,9 @@ async fn main() -> Result<()> {
         .await
         .map_err(|e| Error::new(std::io::ErrorKind::InvalidData, e.to_string()))?;
 
-    if let Some(resolved_api_key) = resolve_secrets(Arc::clone(&config), &mut aws_config).await {
+    if let Some(resolved_api_key) =
+        resolve_secrets(Arc::clone(&config), &aws_config, &mut aws_credentials).await
+    {
         match extension_loop_active(
             &aws_config,
             &config,
@@ -357,9 +359,10 @@ async fn main() -> Result<()> {
     }
 }
 
-fn load_configs(start_time: Instant) -> (AwsConfig, Arc<Config>) {
+fn load_configs(start_time: Instant) -> (AwsConfig, AwsCredentials, Arc<Config>) {
     // First load the AWS configuration
     let aws_config = AwsConfig::from_env(start_time);
+    let aws_credentials = AwsCredentials::from_env();
     let lambda_directory: String =
         env::var("LAMBDA_TASK_ROOT").unwrap_or_else(|_| "/var/task".to_string());
     let config = match config::get_config(Path::new(&lambda_directory)) {
@@ -370,7 +373,7 @@ fn load_configs(start_time: Instant) -> (AwsConfig, Arc<Config>) {
         }
     };
 
-    (aws_config, config)
+    (aws_config, aws_credentials, config)
 }
 
 fn enable_logging_subsystem(config: &Arc<Config>) {
diff --git a/bottlecap/src/config/aws.rs b/bottlecap/src/config/aws.rs
@@ -15,11 +15,6 @@ const AWS_LAMBDA_EXEC_WRAPPER: &str = "AWS_LAMBDA_EXEC_WRAPPER";
 #[derive(Debug, Clone)]
 pub struct AwsConfig {
     pub region: String,
-    pub aws_access_key_id: String,
-    pub aws_secret_access_key: String,
-    pub aws_session_token: String,
-    pub aws_container_credentials_full_uri: String,
-    pub aws_container_authorization_token: String,
     pub aws_lwa_proxy_lambda_runtime_api: Option<String>,
     pub function_name: String,
     pub runtime_api: String,
@@ -32,18 +27,36 @@ impl AwsConfig {
     pub fn from_env(start_time: Instant) -> Self {
         Self {
             region: env::var(AWS_DEFAULT_REGION).unwrap_or("us-east-1".to_string()),
+            aws_lwa_proxy_lambda_runtime_api: env::var(AWS_LWA_LAMBDA_RUNTIME_API_PROXY).ok(),
+            function_name: env::var(AWS_LAMBDA_FUNCTION_NAME).unwrap_or_default(),
+            runtime_api: env::var(AWS_LAMBDA_RUNTIME_API).unwrap_or_default(),
+            sandbox_init_time: start_time,
+            exec_wrapper: env::var(AWS_LAMBDA_EXEC_WRAPPER).ok(),
+        }
+    }
+}
+
+#[allow(clippy::module_name_repetitions)]
+#[derive(Debug, Clone)]
+pub struct AwsCredentials {
+    pub aws_access_key_id: String,
+    pub aws_secret_access_key: String,
+    pub aws_session_token: String,
+    pub aws_container_credentials_full_uri: String,
+    pub aws_container_authorization_token: String,
+}
+
+impl AwsCredentials {
+    #[must_use]
+    pub fn from_env() -> Self {
+        Self {
             aws_access_key_id: env::var(AWS_ACCESS_KEY_ID).unwrap_or_default(),
             aws_secret_access_key: env::var(AWS_SECRET_ACCESS_KEY).unwrap_or_default(),
             aws_session_token: env::var(AWS_SESSION_TOKEN).unwrap_or_default(),
             aws_container_credentials_full_uri: env::var(AWS_CONTAINER_CREDENTIALS_FULL_URI)
                 .unwrap_or_default(),
             aws_container_authorization_token: env::var(AWS_CONTAINER_AUTHORIZATION_TOKEN)
                 .unwrap_or_default(),
-            aws_lwa_proxy_lambda_runtime_api: env::var(AWS_LWA_LAMBDA_RUNTIME_API_PROXY).ok(),
-            function_name: env::var(AWS_LAMBDA_FUNCTION_NAME).unwrap_or_default(),
-            runtime_api: env::var(AWS_LAMBDA_RUNTIME_API).unwrap_or_default(),
-            sandbox_init_time: start_time,
-            exec_wrapper: env::var(AWS_LAMBDA_EXEC_WRAPPER).ok(),
         }
     }
 }
diff --git a/bottlecap/src/lifecycle/invocation/processor.rs b/bottlecap/src/lifecycle/invocation/processor.rs
@@ -966,11 +966,6 @@ mod tests {
     fn setup() -> Processor {
         let aws_config = AwsConfig {
             region: "us-east-1".into(),
-            aws_access_key_id: "***".into(),
-            aws_secret_access_key: "***".into(),
-            aws_session_token: "***".into(),
-            aws_container_credentials_full_uri: "***".into(),
-            aws_container_authorization_token: "***".into(),
             aws_lwa_proxy_lambda_runtime_api: Some("***".into()),
             function_name: "test-function".into(),
             sandbox_init_time: Instant::now(),
diff --git a/bottlecap/src/lifecycle/invocation/span_inferrer.rs b/bottlecap/src/lifecycle/invocation/span_inferrer.rs
@@ -480,11 +480,6 @@ mod tests {
 
         let aws_config = AwsConfig {
             region: "us-east-1".to_string(),
-            aws_access_key_id: "".to_string(),
-            aws_secret_access_key: "".to_string(),
-            aws_session_token: "".to_string(),
-            aws_container_credentials_full_uri: "".to_string(),
-            aws_container_authorization_token: "".to_string(),
             aws_lwa_proxy_lambda_runtime_api: Some("".to_string()),
             runtime_api: "".to_string(),
             function_name: "".to_string(),
diff --git a/bottlecap/src/proxy/interceptor.rs b/bottlecap/src/proxy/interceptor.rs
@@ -400,13 +400,8 @@ mod tests {
 
         let aws_config = AwsConfig {
             region: "us-east-1".to_string(),
-            aws_access_key_id: "AKIDEXAMPLE".to_string(),
-            aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY".to_string(),
-            aws_session_token: "AQoDYXdzEJr...<remainder of session token>".to_string(),
             function_name: "arn:some-function".to_string(),
             sandbox_init_time: Instant::now(),
-            aws_container_credentials_full_uri: String::new(),
-            aws_container_authorization_token: String::new(),
             runtime_api: aws_lambda_runtime_api.to_string(),
             aws_lwa_proxy_lambda_runtime_api: Some(aws_lwa_lambda_runtime_api.to_string()),
             exec_wrapper: None,
diff --git a/bottlecap/src/proxy/mod.rs b/bottlecap/src/proxy/mod.rs
@@ -37,11 +37,6 @@ mod tests {
         });
         let aws_config = AwsConfig {
             region: "us-east-1".to_string(),
-            aws_access_key_id: "".to_string(),
-            aws_secret_access_key: "".to_string(),
-            aws_session_token: "".to_string(),
-            aws_container_credentials_full_uri: "".to_string(),
-            aws_container_authorization_token: "".to_string(),
             aws_lwa_proxy_lambda_runtime_api: Some("127.0.0.1:12345".to_string()),
             function_name: "".to_string(),
             runtime_api: "".to_string(),
@@ -55,11 +50,6 @@ mod tests {
         let config = Arc::new(Config::default());
         let aws_config = AwsConfig {
             region: "us-east-1".to_string(),
-            aws_access_key_id: "".to_string(),
-            aws_secret_access_key: "".to_string(),
-            aws_session_token: "".to_string(),
-            aws_container_credentials_full_uri: "".to_string(),
-            aws_container_authorization_token: "".to_string(),
             // LWA proxy is set, so we should start the proxy
             aws_lwa_proxy_lambda_runtime_api: Some("127.0.0.1:12345".to_string()),
             function_name: "".to_string(),
@@ -79,11 +69,6 @@ mod tests {
         });
         let aws_config = AwsConfig {
             region: "us-east-1".to_string(),
-            aws_access_key_id: "".to_string(),
-            aws_secret_access_key: "".to_string(),
-            aws_session_token: "".to_string(),
-            aws_container_credentials_full_uri: "".to_string(),
-            aws_container_authorization_token: "".to_string(),
             aws_lwa_proxy_lambda_runtime_api: None,
             function_name: "".to_string(),
             runtime_api: "".to_string(),
@@ -102,11 +87,6 @@ mod tests {
         });
         let aws_config = AwsConfig {
             region: "us-east-1".to_string(),
-            aws_access_key_id: "".to_string(),
-            aws_secret_access_key: "".to_string(),
-            aws_session_token: "".to_string(),
-            aws_container_credentials_full_uri: "".to_string(),
-            aws_container_authorization_token: "".to_string(),
             aws_lwa_proxy_lambda_runtime_api: None,
             function_name: "".to_string(),
             runtime_api: "".to_string(),
@@ -125,11 +105,6 @@ mod tests {
         });
         let aws_config = AwsConfig {
             region: "us-east-1".to_string(),
-            aws_access_key_id: "".to_string(),
-            aws_secret_access_key: "".to_string(),
-            aws_session_token: "".to_string(),
-            aws_container_credentials_full_uri: "".to_string(),
-            aws_container_authorization_token: "".to_string(),
             aws_lwa_proxy_lambda_runtime_api: None,
             function_name: "".to_string(),
             runtime_api: "".to_string(),
diff --git a/bottlecap/src/secrets/decrypt.rs b/bottlecap/src/secrets/decrypt.rs
