0.14.2 patch commits (#578)

*Issue #, if available:*

*Description of changes:*
Ports the following commits from main into the 0.14.x release branch for
pending 0.14.2 release:

* #570 
* #571 
* #572 
* #573 
* #574 
* #575 
* #577 

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

---------

Co-authored-by: Syed Ahsan Ishtiaque <176968742+syed-ahsan-ishtiaque@users.noreply.github.com>
Co-authored-by: Lei Wang <66336933+wangzlei@users.noreply.github.com>
Co-authored-by: Jonathan Lee <107072447+jj22ee@users.noreply.github.com>
Co-authored-by: Steve Liu <liustve@amazon.com>
Co-authored-by: Mahad Janjua <134644284+majanjua-amzn@users.noreply.github.com>

Author: 6 people

.github/workflows/release-build.yml

@@ -124,21 +124,6 @@ jobs:
       - name: Checkout Repo @ SHA - ${{ github.sha }}
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
 
-      - name: Configure AWS credentials for PyPI secrets
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
-        with:
-          role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }}
-          aws-region: ${{ env.AWS_DEFAULT_REGION }}
-      
-      - name: Get PyPI secrets
-        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
-        id: pypi_secrets
-        with:
-          secret-ids: |
-            PROD_PYPI_TOKEN,${{ secrets.PYPI_PROD_TOKEN_SECRET_ARN }}
-            TEST_PYPI_TOKEN,${{ secrets.PYPI_TEST_TOKEN_SECRET_ARN }}
-          parse-json-secrets: true
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #3.11.1
 
@@ -163,36 +148,35 @@ jobs:
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0
         with:
           registry: public.ecr.aws
-
-      # The step below publishes to testpypi in order to catch any issues
-      # with the package configuration that would cause a failure to upload to pypi.
-      - name: Install twine
-        run: pip install twine==5.1.1
-      
+     
       - name: Download SDK wheel artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0
         with:
           name: ${{ env.WHEEL_ARTIFACT_NAME }}
+          path: dist-pypi
 
       - name: Download SDK source artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0
         with:
           name: ${{ env.SOURCE_ARTIFACT_NAME }}
+          path: dist-pypi
 
+      # The step below publishes to testpypi in order to catch any issues 
       - name: Publish to TestPyPI
-        env:
-          TWINE_USERNAME: '__token__'
-          TWINE_PASSWORD: ${{ env.TEST_PYPI_TOKEN_API_TOKEN }}
-        run: |
-          twine upload --repository testpypi --skip-existing --verbose ${{ env.WHEEL_ARTIFACT_NAME }} ${{ env.SOURCE_ARTIFACT_NAME }}
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true
+          verbose: true
+          packages-dir: dist-pypi
 
       # Publish to prod PyPI
       - name: Publish to PyPI
-        env:
-          TWINE_USERNAME: '__token__'
-          TWINE_PASSWORD: ${{ env.PROD_PYPI_TOKEN_API_TOKEN }}
-        run: |
-          twine upload --skip-existing --verbose ${{ env.WHEEL_ARTIFACT_NAME }} ${{ env.SOURCE_ARTIFACT_NAME }}
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
+        with:
+          skip-existing: true
+          verbose: true
+          packages-dir: dist-pypi
 
       # Publish to public ECR
       - name: Build and push public ECR image
@@ -256,10 +240,31 @@ jobs:
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0
         with:
           name: layer.zip
-      - name: publish
+      
+      - name: Upload to S3 and Sign
+        continue-on-error: true
         run: |
           aws s3 mb s3://${{ env.BUCKET_NAME }}
           aws s3 cp aws-opentelemetry-python-layer.zip s3://${{ env.BUCKET_NAME }}
+          
+          # Sign the layer
+          PROFILE=$(aws signer list-signing-profiles --query "profiles[?profileName=='ADOTLambdaLayerSigningProfile'].arn" --output text 2>/dev/null)
+          [ -z "$PROFILE" ] && exit 0
+          
+          JOB_ID=$(aws signer start-signing-job \
+            --source "s3={bucketName=${{ env.BUCKET_NAME }},key=aws-opentelemetry-python-layer.zip,version=null}" \
+            --destination "s3={bucketName=${{ env.BUCKET_NAME }},prefix=signed-}" \
+            --profile-name ADOTLambdaLayerSigningProfile \
+            --query 'jobId' --output text 2>/dev/null) || exit 0
+          [ -z "$JOB_ID" ] && exit 0
+          
+          aws signer wait successful-signing-job --job-id "$JOB_ID" || exit 0
+          
+          SIGNED=$(aws signer describe-signing-job --job-id "$JOB_ID" --query 'signedObject.s3.key' --output text 2>/dev/null)
+          [ -n "$SIGNED" ] && aws s3 mv "s3://${{ env.BUCKET_NAME }}/$SIGNED" "s3://${{ env.BUCKET_NAME }}/aws-opentelemetry-python-layer.zip"
+      
+      - name: Publish Layer Version
+        run: |
           layerARN=$(
             aws lambda publish-layer-version \
               --layer-name ${{ env.LAYER_NAME }} \
@@ -276,6 +281,11 @@ jobs:
           mkdir ${{ env.LAYER_NAME }}
           echo $layerARN > ${{ env.LAYER_NAME }}/${{ matrix.aws_region }}
           cat ${{ env.LAYER_NAME }}/${{ matrix.aws_region }}
+          
+          # Output SigningProfileVersionArn
+          aws lambda get-layer-version-by-arn \
+            --arn $layerARN \
+            --output json | jq -r '.Content.SigningProfileVersionArn'
       - name: public layer
         run: |
           layerVersion=$(

CHANGELOG.md

@@ -11,6 +11,19 @@ For any change that affects end users of this package, please add an entry under
 If your change does not need a CHANGELOG entry, add the "skip changelog" label to your PR.
 
 ## Unreleased
+- Fix: Support new fields in X-Ray API responses
+  ([#577](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/577))
+- Fix CVE-2025-66471 and CVE-2026-21441. No associated PR since `urllib3` dependency will auto-bump to the latest `2.6.x` version upon release.
+- Add cloud.platform attribute to resource attributes in lambda
+  ([#561](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/561))
+- Sign Lambda layer by AWS Signer
+  ([#573](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/573))
+- Update opentelemetry-sdk-extension-aws to version 2.1.0, and remove unneeded Resource Detector patches
+  ([#572](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/572))
+- Support PyPI Signature
+  ([#571](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/571))
+- Remove redundant environment variable configuration in Lambda layer
+  ([#570](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/570))
 
 ## v0.14.1 - 2025-12-15
 - Add custom ADOT UserAgent for OTLP Spans Exporter
@@ -38,4 +51,3 @@ If your change does not need a CHANGELOG entry, add the "skip changelog" label t
   ([#522](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/522))
 - Support credentials provider name for BedrockAgentCore Identity
   ([#534](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/534))
-

aws-opentelemetry-distro/pyproject.toml

@@ -33,7 +33,7 @@ dependencies = [
   "opentelemetry-propagator-b3 == 1.33.1",
   "opentelemetry-propagator-jaeger == 1.33.1",
   "opentelemetry-exporter-otlp-proto-common == 1.33.1",
-  "opentelemetry-sdk-extension-aws == 2.0.2",
+  "opentelemetry-sdk-extension-aws == 2.1.0",
   "opentelemetry-propagator-aws-xray == 1.0.1",
   "opentelemetry-distro == 0.54b1",
   "opentelemetry-processor-baggage == 0.54b1",

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/patches/_instrumentation_patch.py

@@ -5,7 +5,6 @@
 
 from amazon.opentelemetry.distro._utils import is_installed
 from amazon.opentelemetry.distro.aws_opentelemetry_configurator import is_enhanced_code_attributes
-from amazon.opentelemetry.distro.patches._resource_detector_patches import _apply_resource_detector_patches
 
 _logger: Logger = getLogger(__name__)
 
@@ -85,7 +84,3 @@ def apply_instrumentation_patches() -> None:  # pylint: disable=too-many-branche
             from amazon.opentelemetry.distro.patches._aio_pika_patches import _apply_aio_pika_instrumentation_patches
 
             _apply_aio_pika_instrumentation_patches()
-
-    # No need to check if library is installed as this patches opentelemetry.sdk,
-    # which must be installed for the distro to work at all.
-    _apply_resource_detector_patches()

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/patches/_resource_detector_patches.py

@@ -1,6 +1,10 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
+from logging import getLogger
+
+_logger = getLogger(__name__)
+
 
 # Disable snake_case naming style so this class can match the sampling rules response from X-Ray
 # pylint: disable=invalid-name
@@ -20,6 +24,7 @@ def __init__(
         ServiceType: str = None,
         URLPath: str = None,
         Version: int = None,
+        **kwargs,
     ):
         self.Attributes = Attributes if Attributes is not None else {}
         self.FixedRate = FixedRate if FixedRate is not None else 0.0
@@ -36,6 +41,10 @@ def __init__(
         self.URLPath = URLPath if URLPath is not None else ""
         self.Version = Version if Version is not None else 0
 
+        # Log unknown fields for debugging/monitoring
+        if kwargs:
+            _logger.debug("Ignoring unknown fields in _SamplingRule: %s", list(kwargs.keys()))
+
     def __lt__(self, other: "_SamplingRule") -> bool:
         if self.Priority == other.Priority:
             # String order priority example:

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/sampler/_sampling_rule.py

@@ -1,6 +1,7 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 from logging import getLogger
+from typing import List
 
 _logger = getLogger(__name__)
 
@@ -15,47 +16,62 @@ def __init__(
         ReservoirQuota: int = None,
         ReservoirQuotaTTL: float = None,
         RuleName: str = None,
+        **kwargs,
     ):
         self.FixedRate = FixedRate if FixedRate is not None else 0.0
         self.Interval = Interval  # can be None
         self.ReservoirQuota = ReservoirQuota  # can be None
         self.ReservoirQuotaTTL = ReservoirQuotaTTL  # can be None
         self.RuleName = RuleName if RuleName is not None else ""
 
+        # Log unknown fields for debugging/monitoring
+        if kwargs:
+            _logger.debug("Ignoring unknown fields in _SamplingTarget: %s", list(kwargs.keys()))
+
 
 class _UnprocessedStatistics:
     def __init__(
         self,
         ErrorCode: str = None,
         Message: str = None,
         RuleName: str = None,
+        **kwargs,
     ):
         self.ErrorCode = ErrorCode if ErrorCode is not None else ""
         self.Message = Message if ErrorCode is not None else ""
         self.RuleName = RuleName if ErrorCode is not None else ""
 
+        # Log unknown fields for debugging/monitoring
+        if kwargs:
+            _logger.debug("Ignoring unknown fields in _UnprocessedStatistics: %s", list(kwargs.keys()))
+
 
 class _SamplingTargetResponse:
     def __init__(
         self,
         LastRuleModification: float,
-        SamplingTargetDocuments: [dict] = None,
-        UnprocessedStatistics: [dict] = None,
+        SamplingTargetDocuments: List[dict] = None,
+        UnprocessedStatistics: List[dict] = None,
+        **kwargs,
     ):
         self.LastRuleModification: float = LastRuleModification if LastRuleModification is not None else 0.0
 
-        self.SamplingTargetDocuments: [_SamplingTarget] = []
+        self.SamplingTargetDocuments: List[_SamplingTarget] = []
         if SamplingTargetDocuments is not None:
             for document in SamplingTargetDocuments:
                 try:
                     self.SamplingTargetDocuments.append(_SamplingTarget(**document))
                 except TypeError as e:
                     _logger.debug("TypeError occurred: %s", e)
 
-        self.UnprocessedStatistics: [_UnprocessedStatistics] = []
+        self.UnprocessedStatistics: List[_UnprocessedStatistics] = []
         if UnprocessedStatistics is not None:
             for unprocessed in UnprocessedStatistics:
                 try:
                     self.UnprocessedStatistics.append(_UnprocessedStatistics(**unprocessed))
                 except TypeError as e:
                     _logger.debug("TypeError occurred: %s", e)
+
+        # Log unknown fields for debugging/monitoring
+        if kwargs:
+            _logger.debug("Ignoring unknown fields in _SamplingTargetResponse: %s", list(kwargs.keys()))

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/sampler/_sampling_target.py

@@ -5,8 +5,6 @@
 from unittest import TestCase
 from unittest.mock import MagicMock, patch
 
-import opentelemetry.sdk.extension.aws.resource.ec2 as ec2_resource
-import opentelemetry.sdk.extension.aws.resource.eks as eks_resource
 from amazon.opentelemetry.distro._aws_attribute_keys import (
     AWS_AUTH_CREDENTIAL_PROVIDER,
     AWS_BEDROCK_AGENTCORE_BROWSER_ARN,
@@ -141,8 +139,6 @@ def _run_patch_mechanism_tests(self):
         """
         self._test_botocore_installed_flag()
         self._reset_mocks()
-        self._test_resource_detector_patches()
-        self._reset_mocks()
         self._test_starlette_installed_flag()
         self._reset_mocks()
         self._test_enhanced_code_attributes_patches()
@@ -789,53 +785,6 @@ def _test_patched_bedrock_agent_instrumentation(self):
             self.assertEqual(len(bedrock_agent_success_attributes), 1)
             self.assertEqual(bedrock_agent_success_attributes[attribute_tuple[0]], attribute_tuple[1])
 
-    def _test_resource_detector_patches(self):
-        """Test that resource detector patches are applied and work correctly"""
-        # Test that the functions were patched
-        self.assertIsNotNone(ec2_resource._aws_http_request)
-        self.assertIsNotNone(eks_resource._aws_http_request)
-
-        # Test EC2 patched function
-        with patch("amazon.opentelemetry.distro.patches._resource_detector_patches.urlopen") as mock_urlopen:
-            mock_response = MagicMock()
-            mock_response.read.return_value = b'{"test": "ec2-data"}'
-            mock_urlopen.return_value.__enter__.return_value = mock_response
-
-            result = ec2_resource._aws_http_request("GET", "/test/path", {"X-Test": "header"})
-            self.assertEqual(result, '{"test": "ec2-data"}')
-
-            # Verify the request was made correctly
-            args, kwargs = mock_urlopen.call_args
-            request = args[0]
-            self.assertEqual(request.full_url, "http://169.254.169.254/test/path")
-            self.assertEqual(request.headers, {"X-test": "header"})
-            self.assertEqual(kwargs["timeout"], 5)
-
-        # Test EKS patched function
-        with patch("amazon.opentelemetry.distro.patches._resource_detector_patches.urlopen") as mock_urlopen, patch(
-            "amazon.opentelemetry.distro.patches._resource_detector_patches.ssl.create_default_context"
-        ) as mock_ssl:
-            mock_response = MagicMock()
-            mock_response.read.return_value = b'{"test": "eks-data"}'
-            mock_urlopen.return_value.__enter__.return_value = mock_response
-
-            mock_context = MagicMock()
-            mock_ssl.return_value = mock_context
-
-            result = eks_resource._aws_http_request("GET", "/api/v1/test", "Bearer token123")
-            self.assertEqual(result, '{"test": "eks-data"}')
-
-            # Verify the request was made correctly
-            args, kwargs = mock_urlopen.call_args
-            request = args[0]
-            self.assertEqual(request.full_url, "https://kubernetes.default.svc/api/v1/test")
-            self.assertEqual(request.headers, {"Authorization": "Bearer token123"})
-            self.assertEqual(kwargs["timeout"], 5)
-            self.assertEqual(kwargs["context"], mock_context)
-
-            # Verify SSL context was created with correct CA file
-            mock_ssl.assert_called_once_with(cafile="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
-
     def _test_unpatched_botocore_propagator(self):
         """Test that BotocoreInstrumentor uses its own propagator by default."""
         # Create a fresh instrumentor to test its initial state