feat: get dash0 token from secret manager (#44)

Author: mosheshaham-dash0

Cargo.lock

@@ -23,6 +23,7 @@ tracing-subscriber = { version = "0.3", features = ["fmt", "json", "env-filter"]
 hex = "0.4.3"
 base64 = "0.22"
 regex = "1.12.2"
+hmac = "0.12"
 
 [features]
 default = []

Cargo.toml

@@ -22,10 +22,16 @@ See the release page for the latest ARNs of the extension layers for each runtim
 
 * `DASH0_ENDPOINT` - The integration endpoint for you organization in Dash0, i.e. `https://ingress.eu-west-1.aws.dash0.com:4318`.
 
-* `DASH0_TOKEN` - The API token for your Dash0 project.
+* Either `DASH0_TOKEN` or `DASH0_TOKEN_SECRET_ARN` must be set (see below).
 
 ### Optional
 
+* `DASH0_TOKEN` - The API token for your Dash0 project. Either this or `DASH0_TOKEN_SECRET_ARN` must be set.
+
+* `DASH0_TOKEN_SECRET_ARN` - The ARN of an AWS Secrets Manager secret containing the Dash0 API token. Either this or `DASH0_TOKEN` must be set. If both are set, `DASH0_TOKEN` takes precedence.
+
+* `DASH0_TOKEN_SECRET_KEY` - The JSON key within the secret to extract the token from. Required when the secret stored in `DASH0_TOKEN_SECRET_ARN` is a JSON object. If not set, the entire secret value is used as the token.
+
 * `DASH0_DISABLE_AUTO_INSTRUMENTATION` - Auto-instrumentation can be turned off by this environment variable, which will result in creating synthetic traces by the extension for all invocations.
 
 * `DASH0_SEND_ON_INVOCATION_END` - The extension has two modes of sending to the backend, either on invocation end or on the next invocation. The default is `true`. Sending on invocation end will increase the billed duration of the lambda, but not the response time. Sending on next invocation will decrease the billed duration since the sending will take place in parallel of the regular execution, but might delay the sending up to 7 minutes in case of last invocation in the container.

README.md

@@ -4,6 +4,7 @@ import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as ecr_assets from 'aws-cdk-lib/aws-ecr-assets';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as logs from 'aws-cdk-lib/aws-logs';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import * as cr from 'aws-cdk-lib/custom-resources';
 import * as lambdaNodejs from 'aws-cdk-lib/aws-lambda-nodejs';
 import * as path from 'path';
@@ -39,6 +40,7 @@ interface SubStackProps extends cdk.NestedStackProps {
   layer: lambda.ILayerVersion;
   logGroup: logs.ILogGroup;
   prefix: string;
+  dash0TokenSecretArn?: string;
 }
 
 function createLambdas(
@@ -48,8 +50,9 @@ function createLambdas(
     role: iam.Role,
     logGroup: logs.ILogGroup,
     prefix: string,
-    overrides?: { handler?: string; code?: lambda.Code; memorySize?: number }
+    overrides?: { handler?: string; code?: lambda.Code; memorySize?: number; dash0TokenSecretArn?: string }
 ) {
+  const latestRuntime = runtimes[runtimes.length - 1];
   for (const runtime of runtimes) {
     for (const architecture of [lambda.Architecture.X86_64, lambda.Architecture.ARM_64]) {
       for (const invocationEnd of ["true", "false"]) {
@@ -64,13 +67,20 @@ function createLambdas(
               continue;
             }
             const runtimeName = runtime.name.replace(/\./g, '-');
+            const useSecretManager = overrides?.dash0TokenSecretArn
+                && runtime === latestRuntime
+                && scenario === "success";
             const environment: any = {
               AWS_LAMBDA_EXEC_WRAPPER: "/opt/wrapper",
-              DASH0_TOKEN: process.env.DASH0_DEV_API_TOKEN!,
               DASH0_ENDPOINT: "https://ingress.eu-west-1.aws.dash0-dev.com:4318",
               DASH0_EXTENSION_LOG_LEVEL: "info",
               DASH0_SEND_ON_INVOCATION_END: invocationEnd,
             };
+            if (useSecretManager) {
+              environment["DASH0_TOKEN_SECRET_ARN"] = overrides!.dash0TokenSecretArn!;
+            } else {
+              environment["DASH0_TOKEN"] = process.env.DASH0_DEV_API_TOKEN!;
+            }
             if (traced === "false") {
               environment["DASH0_DISABLE_AUTO_INSTRUMENTATION"] = "true";
             }
@@ -122,6 +132,7 @@ class PythonStack extends cdk.NestedStack {
 
     createLambdas(this, runtimes, props.layer, props.role, props.logGroup, props.prefix, {
       code: createPythonCode(),
+      dash0TokenSecretArn: props.dash0TokenSecretArn,
     });
 
     // Dependency conflict test lambdas
@@ -174,7 +185,9 @@ class NodeStack extends cdk.NestedStack {
       lambda.Runtime.NODEJS_24_X,
     ];
 
-    createLambdas(this, runtimes, props.layer, props.role, props.logGroup, props.prefix);
+    createLambdas(this, runtimes, props.layer, props.role, props.logGroup, props.prefix, {
+      dash0TokenSecretArn: props.dash0TokenSecretArn,
+    });
 
     for (const runtime of runtimes) {
       const runtimeName = runtime.name.replace(/\./g, '-');
@@ -226,6 +239,7 @@ class NodeStack extends cdk.NestedStack {
         loggingFormat: lambda.LoggingFormat.TEXT,
       });
     }
+
   }
 }
 
@@ -247,6 +261,7 @@ class JavaStack extends cdk.NestedStack {
       handler: 'org.example.HelloHandler::handleRequest',
       code: javaCode,
       memorySize: 512,
+      dash0TokenSecretArn: props.dash0TokenSecretArn,
     };
     const runtimes = [lambda.Runtime.JAVA_25, lambda.Runtime.JAVA_21, lambda.Runtime.JAVA_17];
 
@@ -364,25 +379,35 @@ export class IntegrationTestsStack extends cdk.Stack {
       retention: logs.RetentionDays.ONE_DAY,
     });
 
+    const dash0TokenSecret = new secretsmanager.Secret(this, 'Dash0TokenSecret', {
+      secretName: `${prefix}dash0-token-secret`,
+      secretStringValue: cdk.SecretValue.unsafePlainText(process.env.DASH0_DEV_API_TOKEN!),
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+    });
+    dash0TokenSecret.grantRead(role);
+
     new PythonStack(this, 'PythonStack', {
       role,
       layer: pythonLayer,
       logGroup: sharedLogGroup,
       prefix,
+      dash0TokenSecretArn: dash0TokenSecret.secretArn,
     });
 
     new NodeStack(this, 'NodeStack', {
       role,
       layer: nodeLayer,
       logGroup: sharedLogGroup,
       prefix,
+      dash0TokenSecretArn: dash0TokenSecret.secretArn,
     });
 
     new JavaStack(this, 'JavaStack', {
       role,
       layer: javaLayer,
       logGroup: sharedLogGroup,
       prefix,
+      dash0TokenSecretArn: dash0TokenSecret.secretArn,
     });
 
     new ManualStack(this, 'ManualStack', {

integration-tests/iac/lib/integration-tests-stack.ts

@@ -23,7 +23,9 @@ const verifySuccessInvocation = async (functionName: string, invocationEnd: bool
 
     // Verify DASH0_TOKEN is masked in resource attributes
     const resourceAttributes = getAttributesMap(resource.attributes);
-    expect(resourceAttributes['process.environment_variable.DASH0_TOKEN'].stringValue).toEqual('****');
+    if (!functionName.includes("python3-14")) {
+        expect(resourceAttributes['process.environment_variable.DASH0_TOKEN'].stringValue).toEqual('****');
+    }
 
     let httpSpanId: string | undefined = undefined;
     if (traced) {

integration-tests/tests/src/test-python-success.test.ts

@@ -80,11 +80,6 @@ private SdkTracerProviderBuilder tracerProviderCustomizer(
 
   private Map<String, String> propertiesCustomizer(ConfigProperties originalCfg) {
     String accessToken = originalCfg.getString(DASH0_TOKEN);
-    if (Strings.isBlank(accessToken)) {
-      LOGGER.warning(
-          "Dash0 token not provided (env var 'DASH0_TOKEN' not set); no data will be sent.");
-      return Collections.emptyMap();
-    }
 
     Map<String, String> customizedCfg = new HashMap<>();
 

opt/java/opentelemetry-java-distro/custom/src/main/java/io/dash0/javaagent/Dash0Configurator.java

@@ -128,13 +128,7 @@ export const init = async (): Promise<Dash0SdkInitialization> => {
 
     logger.debug(`Instrumented modules: ${instrumentedModules.join(', ')}`);
 
-    const dashToken = process.env.DASH0_TOKEN;
-
-    if (!dashToken) {
-      logger.warn(
-        'The Dash0 token is not available (the "DASH0_TOKEN" environment variable is not set): no telemetry will be sent.'
-      );
-    }
+    const dashToken = process.env.DASH0_TOKEN || '';
 
     const infrastructureDetectors = [
       envDetector,
@@ -162,23 +156,21 @@ export const init = async (): Promise<Dash0SdkInitialization> => {
       );
     }
 
-    if (dashToken) {
-      const otlpTraceExporter = new OTLPTraceExporter({
-        url: traceEndpoint,
-        headers: {
-          Authorization: `Bearer ${dashToken.trim()}`,
-        },
-      });
+    const otlpTraceExporter = new OTLPTraceExporter({
+      url: traceEndpoint,
+      headers: {
+        Authorization: `Bearer ${dashToken.trim()}`,
+      },
+    });
 
-      spanProcessors.push(
-        new BatchSpanProcessor(otlpTraceExporter, {
-          // The maximum queue size. After the size is reached spans are dropped.
-          maxQueueSize: 1000,
-          // The maximum batch size of every export. It must be smaller or equal to maxQueueSize.
-          maxExportBatchSize: 100,
-        })
-      );
-    }
+    spanProcessors.push(
+      new BatchSpanProcessor(otlpTraceExporter, {
+        // The maximum queue size. After the size is reached spans are dropped.
+        maxQueueSize: 1000,
+        // The maximum batch size of every export. It must be smaller or equal to maxQueueSize.
+        maxExportBatchSize: 100,
+      })
+    );
 
     // Create providers with processors
     const tracerProvider = new NodeTracerProvider({

opt/node/distro/src/bootstrap.ts

@@ -74,36 +74,6 @@ describe('Distro initialization', () => {
 
   });
 
-  describe('without the DASH0_TOKEN environment variable set', () => {
-    test('should not initialize the OTLPTraceExporter', async () => {
-      await jest.isolateModulesAsync(async () => {
-        const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
-        jest.mock('@opentelemetry/exporter-trace-otlp-http');
-
-        const { init } = jest.requireActual('./distro');
-        await init;
-
-        expect(OTLPTraceExporter).not.toHaveBeenCalled();
-      });
-    });
-
-    describe('with the DASH0_DEBUG_SPANDUMP variable set', () => {
-      test('should initialize the FileSpanExporter', async () => {
-        await jest.isolateModulesAsync(async () => {
-          process.env.DASH0_DEBUG_SPANDUMP = '/dev/stdout';
-
-          jest.mock('./exporters');
-
-          const { init } = jest.requireActual('./distro');
-          await init;
-
-          const { FileSpanExporter } = require('./exporters');
-          expect(FileSpanExporter).toHaveBeenCalledWith('/dev/stdout');
-        });
-      });
-    });
-  });
-
   describe('NodeTracerProvider should be initialize with span limit according to environment variables or default', () => {
     beforeEach(() => {
       process.env = { ...ORIGINAL_PROCESS_ENV };