[ROB-1923] amp irsa support

docs/configuration/metric-providers-aws.rst

@@ -6,25 +6,80 @@ Configure Robusta to use Amazon Managed Prometheus (AMP).
 Prerequisites
 -------------
 
-1. An Amazon Managed Prometheus workspace
-2. AWS access credentials (Access Key and Secret Key)
+Before configuring Robusta with AWS Managed Prometheus, ensure you have:
+
+1. **An Amazon Managed Prometheus (AMP) workspace**  
+   See: `Getting started with Amazon Managed Service for Prometheus <https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-getting-started.html>`_.
+
+2. **For IRSA**: Your EKS cluster must have an OIDC identity provider configured.  
+   See: `Associate IAM OIDC Provider <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_.
+
+3. **AWS access credentials (Access Key and Secret Key)**  
+   With sufficient permissions to query AMP (for example, the ``AmazonPrometheusQueryAccess`` policy).
+
+IRSA (Recommended)
+------------------
+
+IRSA (IAM Roles for Service Accounts) is the recommended way to authenticate Robusta with AWS Managed Prometheus.  
+With IRSA, you don’t need to manage long-lived AWS access keys — credentials are securely provided to pods via Kubernetes service accounts.
+
+.. dropdown:: AWS Setup for IRSA
+   :animate: fade-in-slide-down
+
+   1. **Ensure your EKS cluster has an OIDC provider associated**:  
+      See the AWS guide: `Associate IAM OIDC Provider <https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html>`_.
+
+   2. **Create an IAM role for Prometheus access with the correct trust policy**:  
+      The role must include:
+
+      - The managed policy ``AmazonPrometheusQueryAccess`` (or equivalent custom policy).
+      - A trust policy allowing ``sts:AssumeRoleWithWebIdentity`` from your cluster’s OIDC provider.
+
+      Example trust policy (replace placeholders accordingly):
+
+      .. code-block:: json
+
+         {
+           "Version": "2012-10-17",
+           "Statement": [
+             {
+               "Effect": "Allow",
+               "Principal": {
+                 "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
+               },
+               "Action": "sts:AssumeRoleWithWebIdentity",
+               "Condition": {
+                 "StringEquals": {
+                   "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:<NAMESPACE>:<SERVICE_ACCOUNT_NAME>"
+                 }
+               }
+             }
+           ]
+         }
 
 Quick Start
------------
+~~~~~~~~~~~
 
-1. **Create AWS credentials** if you don't have them:
-
-   Follow the `AWS guide <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey>`_ to create an access key.
+1. **Annotate Robusta service accounts** in the namespace where you installed the Helm chart.  
+   At minimum, these two are critical:
 
-2. **Store credentials in Kubernetes**:
+   - ``robusta-runner-service-account``
+   - ``robusta-holmes-service-account``
+
+   Example:
+
+   .. code-block:: yaml
 
-   .. code-block:: bash
+       runnerServiceAccount:
+         annotations:
+           eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<AMP_IAM_ROLE>
 
-       kubectl create secret generic aws-secret-key -n robusta \
-           --from-literal=access-key=YOUR_ACCESS_KEY \
-           --from-literal=secret-key=YOUR_SECRET_ACCESS_KEY
+       holmes:
+         serviceAccount:
+           annotations:
+             eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<AMP_IAM_ROLE>
 
-3. **Configure Robusta** - add to ``generated_values.yaml``:
+2. **Configure Robusta** - add to ``generated_values.yaml``:
 
    .. code-block:: yaml
 
@@ -36,25 +91,64 @@ Quick Start
            additional_env_vars:
            - name: PROMETHEUS_SSL_ENABLED
              value: "true"
-           - name: AWS_ACCESS_KEY
-             valueFrom:
-               secretKeyRef:
-                 name: aws-secret-key
-                 key: access-key
-           - name: AWS_SECRET_ACCESS_KEY
-             valueFrom:
-               secretKeyRef:
-                 name: aws-secret-key
-                 key: secret-key
            - name: AWS_SERVICE_NAME
              value: "aps"
            - name: AWS_REGION
              value: "us-east-1"  # Your workspace region
 
-4. :ref:`Update Robusta <Simple Upgrade>`
+3. :ref:`Update Robusta <Simple Upgrade>`
+
+Access Keys (Alternative)
+-------------------------
+
+If you prefer not to use IRSA, you can authenticate with long-lived AWS access keys.
+
+.. dropdown:: AWS Setup for Access Keys
+   :animate: fade-in-slide-down
+   :icon: key
+
+   1. **Create AWS credentials** if you don't have them:  
+      Follow the `AWS guide <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey>`_ to create an access key.
+
+   2. **Store credentials in Kubernetes**:
+
+      .. code-block:: bash
+
+          kubectl create secret generic aws-secret-key -n robusta \
+              --from-literal=access-key=YOUR_ACCESS_KEY \
+              --from-literal=secret-key=YOUR_SECRET_ACCESS_KEY
+
+   3. **Configure Robusta** - add to ``generated_values.yaml``:
+
+      .. code-block:: yaml
+
+          globalConfig:
+              prometheus_url: "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-12345678"
+              check_prometheus_flags: false  # Required for AWS
+
+          runner:
+              additional_env_vars:
+              - name: PROMETHEUS_SSL_ENABLED
+                value: "true"
+              - name: AWS_ACCESS_KEY
+                valueFrom:
+                  secretKeyRef:
+                    name: aws-secret-key
+                    key: access-key
+              - name: AWS_SECRET_ACCESS_KEY
+                valueFrom:
+                  secretKeyRef:
+                    name: aws-secret-key
+                    key: secret-key
+              - name: AWS_SERVICE_NAME
+                value: "aps"
+              - name: AWS_REGION
+                value: "us-east-1"  # Your workspace region
+
+   4. :ref:`Update Robusta <Simple Upgrade>`
 
 Finding Your Workspace URL
---------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 1. Open the AWS Console
 2. Navigate to Amazon Managed Service for Prometheus
@@ -71,8 +165,6 @@ Configuration Details
 - ``AWS_SERVICE_NAME``: Always ``"aps"`` for Amazon Prometheus Service
 - ``AWS_REGION``: The AWS region where your workspace is located
 
-
-
 Important Notes
 ---------------
 
@@ -81,13 +173,12 @@ Important Notes
    AWS Managed Prometheus does not support the Prometheus flags API. Always set ``check_prometheus_flags: false``.
 
 - AlertManager URL is not needed (AWS handles alerting separately)
-- Ensure your AWS credentials have permissions to query the AMP workspace
+- Ensure your IAM role or AWS credentials have permissions to query the AMP workspace
 - The workspace must be in the same region specified in AWS_REGION
 
-
 Next Steps
 ----------
 
 - Configure :doc:`alert routing </notification-routing/index>`
 - Set up ingestion from your cluster to AMP
-- Learn about :doc:`common configuration options <metric-providers>`
+- Learn about :doc:`common configuration options <metric-providers>`

helm/robusta/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 72.0.1
 - name: holmes
   repository: https://robusta-charts.storage.googleapis.com
-  version: 0.13.0
-digest: sha256:d76c7da4b825cfe6d8abf97901e355ae633e3ab07e48da16e2880426fb584f79
-generated: "2025-08-20T15:23:06.134703+03:00"
+  version: 0.13.1
+digest: sha256:c1679a75bb51c8474420fbc2d0b3dd97125ad462a00c280bceff98027423bb1d
+generated: "2025-08-27T13:09:08.581854+03:00"

helm/robusta/Chart.yaml

@@ -15,6 +15,6 @@ dependencies:
     condition: enablePrometheusStack
     repository: "https://prometheus-community.github.io/helm-charts"
   - name: holmes
-    version: 0.13.0
+    version: 0.13.1
     condition: enableHolmesGPT
     repository: "https://robusta-charts.storage.googleapis.com"

playbooks/robusta_playbooks/krr.py

@@ -36,7 +36,7 @@
 from robusta.integrations.prometheus.utils import generate_prometheus_config
 from robusta.utils.parsing import format_event_templated_string
 
-IMAGE: str = os.getenv("KRR_IMAGE_OVERRIDE", f"{IMAGE_REGISTRY}/krr:v1.25.1")
+IMAGE: str = os.getenv("KRR_IMAGE_OVERRIDE", f"{IMAGE_REGISTRY}/krr:v1.26.0")
 KRR_MEMORY_LIMIT: str = os.getenv("KRR_MEMORY_LIMIT", "2Gi")
 KRR_MEMORY_REQUEST: str = os.getenv("KRR_MEMORY_REQUEST", "2Gi")
 KRR_STRATEGY: str = os.getenv("KRR_STRATEGY", "simple")
@@ -276,22 +276,23 @@ def _generate_prometheus_secrets(prom_config: PrometheusConfig) -> List[KRRSecre
             )
 
     if isinstance(prom_config, AWSPrometheusConfig):
-        krr_secrets.extend(
-            [
-                KRRSecret(
-                    env_var_name="AWS_KEY",
-                    secret_key="aws-key",
-                    secret_value=prom_config.access_key,
-                    command_flag="--eks-access-key",
-                ),
-                KRRSecret(
-                    env_var_name="AWS_SECRET",
-                    secret_key="aws-secret",
-                    secret_value=prom_config.secret_access_key,
-                    command_flag="--eks-secret-key",
-                ),
-            ]
-        )
+        if prom_config.access_key and prom_config.secret_access_key:
+            krr_secrets.extend(
+                [
+                    KRRSecret(
+                        env_var_name="AWS_KEY",
+                        secret_key="aws-key",
+                        secret_value=prom_config.access_key,
+                        command_flag="--eks-access-key",
+                    ),
+                    KRRSecret(
+                        env_var_name="AWS_SECRET",
+                        secret_key="aws-secret",
+                        secret_value=prom_config.secret_access_key,
+                        command_flag="--eks-secret-key",
+                    ),
+                ]
+            )
     if isinstance(prom_config, CoralogixPrometheusConfig):
         krr_secrets.append(
             KRRSecret(

pyproject.toml

@@ -59,7 +59,7 @@ humanize = "^3.13.1"
 cryptography = "^43.0.1"
 fpdf2 = "^2.7.1"
 attrs = "^23.1.0"
-prometrix = "0.2.1"
+prometrix = "0.2.2"
 hikaru-model-26 = "^1.1.1"
 apprise = "1.6.0"
 rocketchat-api = "^1.30.0"

src/robusta/integrations/prometheus/utils.py

@@ -25,9 +25,9 @@
     "AZURE_TOKEN_ENDPOINT", f"https://login.microsoftonline.com/{os.environ.get('AZURE_TENANT_ID')}/oauth2/token"
 )
 CORALOGIX_PROMETHEUS_TOKEN = os.environ.get("CORALOGIX_PROMETHEUS_TOKEN")
-AWS_ACCESS_KEY = os.environ.get("AWS_ACCESS_KEY")
-AWS_SECRET_ACCESS_KEY = os.environ.get("AWS_SECRET_ACCESS_KEY")
-AWS_SERVICE_NAME = os.environ.get("AWS_SERVICE_NAME")
+AWS_ACCESS_KEY = os.environ.get("AWS_ACCESS_KEY", None)
+AWS_SECRET_ACCESS_KEY = os.environ.get("AWS_SECRET_ACCESS_KEY", None)
+AWS_SERVICE_NAME = os.environ.get("AWS_SERVICE_NAME", "aps")
 AWS_REGION = os.environ.get("AWS_REGION")
 VICTORIA_METRICS_CONFIGURED = os.environ.get("VICTORIA_METRICS_CONFIGURED", "false").lower() == "true"
 
@@ -57,7 +57,7 @@ def generate_prometheus_config(prometheus_params: PrometheusParams) -> Prometheu
         baseconfig["headers"] = prometheus_params.prometheus_additional_headers
 
     # aws config
-    if AWS_ACCESS_KEY:
+    if AWS_REGION:
         return AWSPrometheusConfig(
             access_key=AWS_ACCESS_KEY,
             secret_access_key=AWS_SECRET_ACCESS_KEY,