fix(sdk-extension-aws): replace deprecated aws-auth ConfigMap check with JWT iss claim detection in AwsEksResourceDetector (#4414)

* fix(sdk-extension-aws): fix AwsEksResourceDetector on EKS Access Entries API clusters

Replace aws-auth ConfigMap HTTP check with JWT iss claim decode. Clusters
using the Access Entries API do not have aws-auth, causing HTTP 404 and
silent empty resource. Pod service-account token iss always contains
oidc.eks on EKS. Decoded locally, no network call required.

* Add unit tests for JWT-based EKS detection in AwsEksResourceDetector

* use regex-based JWT issuer validation instead of string matching

* test(aws-sdk-extension): add non-EKS JWT raise path test

* Apply suggestion from @MikeGoldsmith

* style(aws-sdk-extension): minor formatting cleanup in EKS detector

* add changelog 4414 file

---------

Co-authored-by: Mike Goldsmith <goldsmith.mike@gmail.com>
Co-authored-by: Emídio Neto <9735060+emdneto@users.noreply.github.com>
Co-authored-by: Aaron Abbott <aaronabbott@google.com>

Author: 4 people

sdk-extension/opentelemetry-sdk-extension-aws/.changelog/4414.fixed

@@ -0,0 +1 @@
+`opentelemetry-sdk-extension-aws`: fix EKS detector failing on clusters using the Access Entries API

sdk-extension/opentelemetry-sdk-extension-aws/src/opentelemetry/sdk/extension/aws/resource/eks.py

@@ -1,9 +1,11 @@
 # Copyright The OpenTelemetry Authors
 # SPDX-License-Identifier: Apache-2.0
 
+import base64
 import json
 import logging
 import os
+import re
 import ssl
 from urllib.request import Request, urlopen
 
@@ -21,6 +23,10 @@
 
 _TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 _CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+_EKS_OIDC_RE = re.compile(
+    r"^https://oidc\.eks\.[^.]+\.amazonaws\.com(?:\.cn)?/id/[A-F0-9]{32}$",
+    re.ASCII,
+)
 
 
 def _aws_http_request(method, path, cred_value):
@@ -49,11 +55,18 @@ def _get_k8s_cred_value():
 
 
 def _is_eks(cred_value):
-    return _aws_http_request(
-        _GET_METHOD,
-        "/api/v1/namespaces/kube-system/configmaps/aws-auth",
-        cred_value,
-    )
+    parts = cred_value.removeprefix("Bearer ").split(".")
+    if len(parts) != 3:
+        return False
+    try:
+        seg = parts[1]
+        payload = json.loads(
+            base64.urlsafe_b64decode(seg + "=" * (-len(seg) % 4))
+        )
+    except ValueError as exception:
+        logger.error("Failed to parse JWT for EKS detection: %s", exception)
+        return False
+    return bool(_EKS_OIDC_RE.match(payload.get("iss", "")))
 
 
 def _get_cluster_info(cred_value):

sdk-extension/opentelemetry-sdk-extension-aws/tests/resource/test_eks.py

@@ -1,6 +1,8 @@
 # Copyright The OpenTelemetry Authors
 # SPDX-License-Identifier: Apache-2.0
 
+import base64
+import json
 import unittest
 from collections import OrderedDict
 from unittest.mock import mock_open, patch
@@ -14,6 +16,17 @@
     ResourceAttributes,
 )
 
+
+def _bearer_jwt(payload: dict) -> str:
+    header = base64.urlsafe_b64encode(b'{"alg":"RS256"}').rstrip(b"=").decode()
+    body = (
+        base64.urlsafe_b64encode(json.dumps(payload).encode())
+        .rstrip(b"=")
+        .decode()
+    )
+    return f"Bearer {header}.{body}.fakesig"
+
+
 MockEksResourceAttributes = {
     ResourceAttributes.CLOUD_PROVIDER: CloudProviderValues.AWS.value,
     ResourceAttributes.CLOUD_PLATFORM: CloudPlatformValues.AWS_EKS.value,
@@ -127,3 +140,98 @@ def test_if_no_eks_paths_should_not_raise(
             AwsEksResourceDetector(raise_on_error=True).detect()
         except RuntimeError:
             self.fail("Should not raise")
+
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._get_k8s_cred_value",
+        return_value=_bearer_jwt(
+            {
+                "iss": "https://oidc.eks.eu-west-2.amazonaws.com/id/A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4"
+            }
+        ),
+    )
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._is_k8s",
+        return_value=True,
+    )
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._get_cluster_info",
+        return_value=f"""{{
+  "data": {{
+    "cluster.name": "{MockEksResourceAttributes[ResourceAttributes.K8S_CLUSTER_NAME]}"
+  }}
+}}
+""",
+    )
+    @patch(
+        "builtins.open",
+        new_callable=mock_open,
+        read_data=f"14:name=systemd:/docker/{MockEksResourceAttributes[ResourceAttributes.CONTAINER_ID]}\n",
+    )
+    def test_eks_oidc_jwt_detected(
+        self,
+        mock_open_function,
+        mock_get_cluster_info,
+        mock_is_k8s,
+        mock_get_k8s_cred_value,
+    ):
+        actual = AwsEksResourceDetector().detect()
+        self.assertEqual(
+            actual.attributes.get(ResourceAttributes.CLOUD_PLATFORM),
+            CloudPlatformValues.AWS_EKS.value,
+        )
+
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._get_k8s_cred_value",
+        return_value=_bearer_jwt({"iss": "https://accounts.google.com"}),
+    )
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._is_k8s",
+        return_value=True,
+    )
+    def test_non_eks_jwt_returns_empty(
+        self, mock_is_k8s, mock_get_k8s_cred_value
+    ):
+        actual = AwsEksResourceDetector().detect()
+        self.assertEqual(actual.attributes, {})
+
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._get_k8s_cred_value",
+        return_value=_bearer_jwt({"iss": "https://wrong.jwt.com"}),
+    )
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._is_k8s",
+        return_value=True,
+    )
+    def test_non_eks_jwt_should_raise(
+        self, mock_is_k8s, mock_get_k8s_cred_value
+    ):
+        with self.assertRaises(RuntimeError):
+            AwsEksResourceDetector(raise_on_error=True).detect()
+
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._get_k8s_cred_value",
+        return_value="Bearer notajwt.otel",
+    )
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._is_k8s",
+        return_value=True,
+    )
+    def test_is_eks_wrong_parts_count_should_raise(
+        self, mock_is_k8s, mock_get_k8s_cred_value
+    ):
+        with self.assertRaises(RuntimeError):
+            AwsEksResourceDetector(raise_on_error=True).detect()
+
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._get_k8s_cred_value",
+        return_value="Bearer header.eyJpc3MiOg.fakesig",
+    )
+    @patch(
+        "opentelemetry.sdk.extension.aws.resource.eks._is_k8s",
+        return_value=True,
+    )
+    def test_is_eks_invalid_json_payload_should_raise(
+        self, mock_is_k8s, mock_get_k8s_cred_value
+    ):
+        with self.assertRaises(RuntimeError):
+            AwsEksResourceDetector(raise_on_error=True).detect()