feat: Add configurable AWS credential validation at bootstrap#6629
Merged
dlvenable merged 3 commits intoMar 23, 2026
Conversation
BhattacharyaSumit
requested review from
KarstenSchnitter,
dinujoh,
dlvenable,
engechas,
graytaylor0,
kkondaka,
oeyh,
san81,
sb2k16 and
srikanthjg
as code owners
Contributor
|
Maybe a better configuration experience could be |
…tion - Add validate_at_bootstrap boolean field to AwsSecretManagerConfiguration - Default value is true (safe-by-default - validates credentials at bootstrap) - When set to false, secret retrieval is deferred until first access - Implement lazy-loading logic in AwsSecretsSupplier for deferred secrets - Add comprehensive unit and integration tests - Maintain backward compatibility (default behavior unchanged) This allows users to disable credential validation per-secret when credentials are not available at bootstrap time, while maintaining fail-fast behavior by default for production safety. Resolves issue where DataPrepper fails to start with invalid credentials by providing per-secret control over bootstrap validation. Signed-off-by: Sumit Bhattacharya <sumit4739@gmail.com>
BhattacharyaSumit
force-pushed
the
feature/configurable-credential-validation
branch
from
ee9d46a to
227c332
Compare
dlvenable
requested changes
Mar 12, 2026
dlvenable
left a comment
dlvenable
left a comment
Member
There was a problem hiding this comment.
Thanks for this change @BhattacharyaSumit !
| class AwsSecretsSupplierLazyLoadTest { | ||
|
|
||
| private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper(); | ||
| private static final String TEST_SECRET_ID = "test-secret"; |
Member
There was a problem hiding this comment.
Use random values and initialize them in @BeforeEach. Make them member variables instead of static.
| private boolean disableRefresh = false; | ||
|
|
||
| @JsonProperty("validate_at_bootstrap") | ||
| private boolean validateAtBootstrap = true; // Default: true (safe-by-default) |
Member
There was a problem hiding this comment.
We generally make our boolean configurations false by default. This is a convention offered to end-users to help with expectations.
Also we don't use the term bootstrap much.
I'd tend to think these are better names:
skip_initial_validationskip_validationskip_validation_on_start
|
|
||
| // Check if validation at bootstrap is disabled for this secret | ||
| if (!awsSecretManagerConfiguration.isValidateAtBootstrap()) { | ||
| LOG.info("Skipping secret retrieval at bootstrap for secret: {} (validate_at_bootstrap=false)", |
| // Check if secret was skipped at bootstrap and needs to be loaded now | ||
| Object keyValuePairs = secretIdToValue.get(secretId); | ||
| if (keyValuePairs == NOT_LOADED_SENTINEL) { | ||
| LOG.info("Secret {} was not loaded at bootstrap, loading now on first access...", secretId); |
Member
There was a problem hiding this comment.
Do not use ellipses like this. Just end the sentence with a period.
| // Check if secret was skipped at bootstrap and needs to be loaded now | ||
| Object secretValue = secretIdToValue.get(secretId); | ||
| if (secretValue == NOT_LOADED_SENTINEL) { | ||
| LOG.info("Secret {} was not loaded at bootstrap, loading now on first access...", secretId); |
Member
There was a problem hiding this comment.
Similar comment about ellipses.
| } | ||
|
|
||
| // Check if secret was skipped at bootstrap and needs to be loaded now | ||
| Object secretValue = secretIdToValue.get(secretId); |
Member
There was a problem hiding this comment.
This is duplicate code. Consolidate it with the code above.
| final AwsSecretManagerConfiguration config = new AwsSecretManagerConfiguration(); | ||
|
|
||
| // Default should be true (safe-by-default) | ||
| assertThat(config.isValidateAtBootstrap(), equalTo(true)); |
Member
There was a problem hiding this comment.
You won't need this with the updated default of false.
| @BeforeEach | ||
| void setUp() throws JsonProcessingException { | ||
| when(awsSecretManagerConfiguration.createGetSecretValueRequest()).thenReturn(getSecretValueRequest); | ||
| when(awsSecretManagerConfiguration.isValidateAtBootstrap()).thenReturn(true); // Default: validate at bootstrap |
Member
There was a problem hiding this comment.
You also won't need this with the updated default.
Member
|
Also, one header violation. Missing license header: examples/config/data-prepper-config-secret-validation.yaml |
BhattacharyaSumit
force-pushed
the
feature/configurable-credential-validation
branch
from
b4c9b05 to
803e4fd
Compare
- Rename validate_at_bootstrap to skip_validation_on_start - Change default from true to false (validate by default per DataPrepper convention) - Remove ellipses from log messages - Extract duplicate lazy-loading code into loadSecretIfNeeded() helper method - Update tests to use random values as member variables initialized in @beforeeach - Update all test mocks to use new method name - Remove example configuration file - Remove accidentally committed build artifacts Signed-off-by: Sumit Bhattacharya <sumit4739@gmail.com>
BhattacharyaSumit
force-pushed
the
feature/configurable-credential-validation
branch
from
803e4fd to
7360f59
Compare
dlvenable
previously approved these changes
Mar 20, 2026
dlvenable
left a comment
dlvenable
left a comment
Member
There was a problem hiding this comment.
Thank you @BhattacharyaSumit !
oeyh
reviewed
Mar 21, 2026
Comment on lines
+130
to
+137
| private Object loadSecretIfNeeded(String secretId) { | ||
| Object value = secretIdToValue.get(secretId); | ||
| if (value == NOT_LOADED_SENTINEL) { | ||
| LOG.info("Secret {} was not loaded on start, loading now on first access.", secretId); | ||
| refresh(secretId); | ||
| value = secretIdToValue.get(secretId); | ||
| } | ||
| return value; |
Collaborator
There was a problem hiding this comment.
secretIdToValue is ConcurrentMap, but the check and refresh sequence here is not atomic. We should consider using compute() method or maybe put the sentinel check inside refresh method's compute() call.
Comment on lines
195
to
198
| } else { | ||
| //This store is not a key value pair store. It is just a value store. | ||
| //If we are here, either KeyToUpdate passed is null or we simply ignore it and just put value in the store | ||
| secretIdToValue.put(secretId, newValue); |
Collaborator
There was a problem hiding this comment.
We may need to call loadSecretIfNeeded at the beginning of this updateValue method as well, otherwise there's chance that this else block will be executed if secret is not loaded yet (because NOT_LOADED_SENTINEL is not a Map), which will lead to overwriting the sentinel with newValue.
…unloaded secrets Use ConcurrentMap.compute() in loadSecretIfNeeded() to ensure the sentinel check and secret retrieval are performed atomically, avoiding race conditions with concurrent access. Add loadSecretIfNeeded() call at the beginning of updateValue() to ensure secrets are loaded before update logic runs, preventing the NOT_LOADED_SENTINEL from being treated as a plain value store. Signed-off-by: Sumit Bhattacharya <sumit4739@gmail.com>
oeyh
approved these changes
Mar 23, 2026
oeyh
left a comment
oeyh
left a comment
Collaborator
There was a problem hiding this comment.
Thanks @BhattacharyaSumit !
dlvenable
approved these changes
Mar 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a
skip_validation_on_startboolean field to AWS Secrets Manager configuration, allowing per-secret control over credential validation at DataPrepper bootstrap.Motivation
DataPrepper currently fails to start if AWS credentials for secrets are invalid at bootstrap, with no way to defer validation. This blocks deployment scenarios where credentials may not be available at startup but will be provided later during runtime.
Changes
skip_validation_on_startfield toAwsSecretManagerConfiguration(default:false)AwsSecretsSupplierfor secrets with validation disabledskip_validation_on_start=trueare loaded on first access instead of at bootstrapConfiguration Example
Issues Resolved
Resolves #[Issue number to be closed when this PR is merged]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.