fix(sdk-extension-aws): fix AwsEksResourceDetector on EKS Access Entries API clusters

alimx07 · alimx07 · commit 9487fb3dcfd1 · 2026-04-12T02:03:05.000+02:00
Replace aws-auth ConfigMap HTTP check with JWT iss claim decode. Clusters
using the Access Entries API do not have aws-auth, causing HTTP 404 and
silent empty resource. Pod service-account token iss always contains
oidc.eks on EKS. Decoded locally, no network call required.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -30,6 +30,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- `opentelemetry-sdk-extension-aws`: Fix `AwsEksResourceDetector` on clusters using the EKS Access Entries API mode where the `aws-auth` ConfigMap is absent; `_is_eks` now decodes the pod service-account JWT `iss` claim instead of querying the Kubernetes API.
+  ([#5080](https://github.com/open-telemetry/opentelemetry-python-contrib/pull/5080))
 - `opentelemetry-docker-tests`: Replace deprecated `SpanAttributes` from `opentelemetry.semconv.trace` with `opentelemetry.semconv._incubating.attributes`
  ([#4339](https://github.com/open-telemetry/opentelemetry-python-contrib/pull/4339))
 - `opentelemetry-instrumentation-confluent-kafka`: Skip `recv` span creation when `poll()` returns no message or `consume()` returns an empty list, avoiding empty spans on idle polls
diff --git a/sdk-extension/opentelemetry-sdk-extension-aws/src/opentelemetry/sdk/extension/aws/resource/eks.py b/sdk-extension/opentelemetry-sdk-extension-aws/src/opentelemetry/sdk/extension/aws/resource/eks.py
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import base64
 import json
 import logging
 import os
@@ -32,6 +33,7 @@
 
 _TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 _CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+_EKS_OIDC_ISSUER = "oidc.eks."
 
 
 def _aws_http_request(method, path, cred_value):
@@ -60,11 +62,17 @@ def _get_k8s_cred_value():
 
 
 def _is_eks(cred_value):
-    return _aws_http_request(
-        _GET_METHOD,
-        "/api/v1/namespaces/kube-system/configmaps/aws-auth",
-        cred_value,
-    )
+    parts = cred_value.removeprefix("Bearer ").split(".")
+    if len(parts) != 3:
+        return False
+    try:
+        seg = parts[1]
+        payload = json.loads(
+            base64.urlsafe_b64decode(seg + "=" * (-len(seg) % 4))
+        )
+    except Exception:
+        return False
+    return _EKS_OIDC_ISSUER in payload.get("iss", "")
 
 
 def _get_cluster_info(cred_value):
