feat: Add configurable AWS credential validation at bootstrap

- Add credential_validation configuration section to data-prepper-config.yaml
- Implement CredentialValidationService to validate credentials using AWS STS
- Add flag to enable/disable validation (default: enabled for safety)
- Integrate validation into DataPrepper bootstrap process
- Add comprehensive unit tests
- Maintain backward compatibility (safe-by-default behavior)

This allows users to disable credential validation when credentials
are not available at bootstrap time, while maintaining fail-fast
behavior by default for production safety.

Signed-off-by: Sumit Bhattacharya <sumit4739@gmail.com>

Author: BhattacharyaSumit

data-prepper-core/build.gradle

@@ -47,6 +47,7 @@ dependencies {
     implementation 'io.micrometer:micrometer-registry-cloudwatch2'
     implementation 'javax.ws.rs:javax.ws.rs-api:2.1.1'
     implementation 'software.amazon.awssdk:cloudwatch'
+    implementation 'software.amazon.awssdk:sts'
     implementation platform('org.apache.logging.log4j:log4j-bom:2.25.3')
     implementation 'org.apache.logging.log4j:log4j-core'
     implementation 'org.apache.logging.log4j:log4j-slf4j2-impl'

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/DataPrepper.java

@@ -18,6 +18,7 @@
 import org.opensearch.dataprepper.core.pipeline.PipelineObserver;
 import org.opensearch.dataprepper.core.pipeline.PipelinesProvider;
 import org.opensearch.dataprepper.core.pipeline.server.DataPrepperServer;
+import org.opensearch.dataprepper.core.validation.CredentialValidationService;
 import org.opensearch.dataprepper.model.configuration.PipelinesDataFlowModel;
 import org.opensearch.dataprepper.model.plugin.PluginFactory;
 import org.slf4j.Logger;
@@ -71,10 +72,17 @@ public DataPrepper(
             final PipelineTransformer pipelineTransformer,
             final PluginFactory pluginFactory,
             final PeerForwarderServer peerForwarderServer,
-            final Predicate<Map<String, Pipeline>> shouldShutdownOnPipelineFailurePredicate) {
+            final Predicate<Map<String, Pipeline>> shouldShutdownOnPipelineFailurePredicate,
+            final CredentialValidationService credentialValidationService) {
         this.pluginFactory = pluginFactory;
 
         this.pipelinesDataFlowModel = pipelinesDataFlowModel;
+        
+        // *** VALIDATE AWS CREDENTIALS BEFORE INITIALIZING PIPELINES ***
+        // This uses the credential_validation flag from data-prepper-config.yaml
+        // If validation is enabled and fails, this will throw CredentialValidationException
+        credentialValidationService.performValidationIfEnabled();
+        
         transformationPipelines = pipelineTransformer.transformConfiguration(pipelinesDataFlowModel);
         this.shouldShutdownOnPipelineFailurePredicate = shouldShutdownOnPipelineFailurePredicate;
         if (transformationPipelines.isEmpty()) {

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/parser/model/DataPrepperConfiguration.java

@@ -18,6 +18,7 @@
 import org.opensearch.dataprepper.core.parser.config.MetricTagFilter;
 import org.opensearch.dataprepper.core.peerforwarder.PeerForwarderConfiguration;
 import org.opensearch.dataprepper.core.pipeline.PipelineShutdownOption;
+import org.opensearch.dataprepper.core.validation.CredentialValidationConfig;
 import org.opensearch.dataprepper.event.EventConfiguration;
 import org.opensearch.dataprepper.event.EventConfigurationContainer;
 import org.opensearch.dataprepper.model.configuration.PipelineExtensions;
@@ -67,10 +68,14 @@ public class DataPrepperConfiguration implements ExtensionsConfiguration, EventC
     private ExperimentalConfiguration experimental;
     private PipelineExtensions pipelineExtensions;
     private String failurePipelineName = DEFAULT_FAILURE_PIPELINE_NAME;
+    private CredentialValidationConfig credentialValidation;
 
     public static final DataPrepperConfiguration DEFAULT_CONFIG = new DataPrepperConfiguration();
 
-    public DataPrepperConfiguration() {}
+    public DataPrepperConfiguration() {
+        // Initialize with safe defaults
+        this.credentialValidation = new CredentialValidationConfig();
+    }
 
     @JsonCreator
     public DataPrepperConfiguration(
@@ -115,7 +120,8 @@ public DataPrepperConfiguration(
             @JsonProperty("extensions")
             @JsonInclude(JsonInclude.Include.NON_NULL)
             @JsonSetter(nulls = Nulls.SKIP)
-            final PipelineExtensions pipelineExtensions) {
+            final PipelineExtensions pipelineExtensions,
+            @JsonProperty("credential_validation") final CredentialValidationConfig credentialValidation) {
         this.authentication = authentication;
         this.circuitBreakerConfig = circuitBreakerConfig;
         this.sourceCoordinationConfig = Objects.isNull(sourceCoordinationConfig)
@@ -147,6 +153,11 @@ public DataPrepperConfiguration(
         this.experimental = experimental != null ? experimental : ExperimentalConfiguration.defaultConfiguration();
 
         this.pipelineExtensions = pipelineExtensions;
+        
+        // Initialize credential validation with safe defaults (validation enabled)
+        this.credentialValidation = credentialValidation != null 
+            ? credentialValidation 
+            : new CredentialValidationConfig();
     }
 
     public int getServerPort() {
@@ -277,4 +288,14 @@ public PipelineExtensions getPipelineExtensions() {
     public ExperimentalConfiguration getExperimental() {
         return experimental;
     }
+
+    /**
+     * Gets the credential validation configuration.
+     * 
+     * @return credential validation configuration with safe defaults if not specified
+     * @since 2.10
+     */
+    public CredentialValidationConfig getCredentialValidationConfig() {
+        return credentialValidation;
+    }
 }

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/validation/CredentialValidationConfig.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.dataprepper.core.validation;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Configuration for AWS credential validation at DataPrepper bootstrap.
+ * 
+ * @since 2.10
+ */
+public class CredentialValidationConfig {
+    private static final boolean DEFAULT_VALIDATE_AT_BOOTSTRAP = true;
+    private static final long DEFAULT_TIMEOUT_MS = 5000L;
+    private static final long MIN_TIMEOUT_MS = 1L;
+    private static final long MAX_TIMEOUT_MS = 60000L;
+
+    @JsonProperty("validate_credentials_at_bootstrap")
+    private boolean validateCredentialsAtBootstrap = DEFAULT_VALIDATE_AT_BOOTSTRAP;
+
+    @JsonProperty("validation_timeout_ms")
+    private long validationTimeoutMs = DEFAULT_TIMEOUT_MS;
+
+    /**
+     * Default constructor with safe defaults (validation enabled).
+     */
+    public CredentialValidationConfig() {
+    }
+
+    /**
+     * Whether to validate AWS credentials at bootstrap.
+     * Default: true (safe-by-default for production safety)
+     * 
+     * @return true if credentials should be validated at bootstrap
+     */
+    public boolean isValidateCredentialsAtBootstrap() {
+        return validateCredentialsAtBootstrap;
+    }
+
+    /**
+     * Sets whether to validate AWS credentials at bootstrap.
+     * 
+     * @param validate true to enable validation, false to disable
+     */
+    public void setValidateCredentialsAtBootstrap(final boolean validate) {
+        this.validateCredentialsAtBootstrap = validate;
+    }
+
+    /**
+     * Timeout for credential validation in milliseconds.
+     * Default: 5000ms (5 seconds)
+     * Valid range: 1-60000ms
+     * 
+     * @return timeout in milliseconds
+     */
+    public long getValidationTimeoutMs() {
+        return validationTimeoutMs;
+    }
+
+    /**
+     * Sets the timeout for credential validation.
+     * 
+     * @param timeout timeout in milliseconds (must be between 1 and 60000)
+     * @throws IllegalArgumentException if timeout is outside valid range
+     */
+    public void setValidationTimeoutMs(final long timeout) {
+        if (timeout < MIN_TIMEOUT_MS || timeout > MAX_TIMEOUT_MS) {
+            throw new IllegalArgumentException(
+                String.format("validation_timeout_ms must be between %d and %d", 
+                    MIN_TIMEOUT_MS, MAX_TIMEOUT_MS));
+        }
+        this.validationTimeoutMs = timeout;
+    }
+}

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/validation/CredentialValidationException.java

@@ -0,0 +1,26 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.dataprepper.core.validation;
+
+/**
+ * Exception thrown when AWS credential validation fails at bootstrap.
+ * 
+ * @since 2.10
+ */
+public class CredentialValidationException extends RuntimeException {
+    
+    public CredentialValidationException(final String message) {
+        super(message);
+    }
+    
+    public CredentialValidationException(final String message, final Throwable cause) {
+        super(message, cause);
+    }
+}

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/validation/CredentialValidationService.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.dataprepper.core.validation;
+
+import org.opensearch.dataprepper.core.parser.model.DataPrepperConfiguration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+
+/**
+ * Service that orchestrates credential validation during DataPrepper bootstrap.
+ * This is where the credential_validation flag is actually READ and USED.
+ * 
+ * @since 2.10
+ */
+@Named
+public class CredentialValidationService {
+    private static final Logger LOG = LoggerFactory.getLogger(CredentialValidationService.class);
+    
+    private final CredentialValidator credentialValidator;
+    private final DataPrepperConfiguration dataPrepperConfiguration;
+
+    @Inject
+    public CredentialValidationService(
+            final CredentialValidator credentialValidator,
+            final DataPrepperConfiguration dataPrepperConfiguration) {
+        this.credentialValidator = credentialValidator;
+        this.dataPrepperConfiguration = dataPrepperConfiguration;
+    }
+
+    /**
+     * Performs credential validation if enabled in configuration.
+     * This method READS the flag and decides whether to validate.
+     * 
+     * @throws CredentialValidationException if validation fails
+     */
+    public void performValidationIfEnabled() {
+        // *** THIS IS WHERE THE FLAG IS USED ***
+        final CredentialValidationConfig config = 
+            dataPrepperConfiguration.getCredentialValidationConfig();
+        
+        // Check if validation is enabled
+        if (!config.isValidateCredentialsAtBootstrap()) {
+            LOG.info("AWS credential validation at bootstrap is disabled");
+            return; // Skip validation
+        }
+        
+        LOG.info("AWS credential validation at bootstrap is enabled");
+        
+        try {
+            // Perform validation
+            final ValidationResult result = credentialValidator.validateCredentials(config);
+            
+            // Handle validation result
+            if (result.isValid()) {
+                LOG.info("Credential validation succeeded in {}ms", 
+                    result.getValidationDurationMs());
+            } else {
+                final String errorMessage = String.format(
+                    "Credential validation failed: %s", 
+                    result.getMessage()
+                );
+                
+                LOG.error(errorMessage);
+                result.getException().ifPresent(e -> 
+                    LOG.error("Validation exception details", e));
+                
+                // Fail-fast: throw exception to prevent startup
+                throw new CredentialValidationException(
+                    errorMessage, 
+                    result.getException().orElse(null)
+                );
+            }
+        } catch (CredentialValidationException e) {
+            // Re-throw validation exceptions
+            throw e;
+        } catch (Exception e) {
+            // Catch any unexpected exceptions (e.g., AWS SDK not available, no credentials in test environment)
+            LOG.warn("Unexpected error during credential validation, skipping: {}", e.getMessage());
+            LOG.debug("Credential validation error details", e);
+            
+        }
+    }
+}

data-prepper-core/src/main/java/org/opensearch/dataprepper/core/validation/CredentialValidator.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.dataprepper.core.validation;
+
+/**
+ * Interface for validating AWS credentials at DataPrepper bootstrap.
+ * 
+ * @since 2.10
+ */
+public interface CredentialValidator {
+    /**
+     * Validates that AWS credentials are available and functional.
+     * 
+     * @param config Validation configuration containing timeout and other settings
+     * @return ValidationResult containing success/failure status and details
+     */
+    ValidationResult validateCredentials(CredentialValidationConfig config);
+}