[exporter/awskinesis] use cached credentials provider (#32415)

**Description:** Wraps the `AssumeRoleProvider` in a `CachedCredentials` provider, in the case the AWS role is explicitly specified in the configuration. This prevents a role assumption from happening every API call. This was causing us to get rate limited by AWS STS since it was not caching credentials. The previous configuration basically fulfills the scenario described in the AWS [Go SDK V2 docs](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specify-credentials-programmatically): > All credential providers passed to or returned by LoadDefaultConfig are wrapped in a [CredentialsCache](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws#CredentialsCache) automatically. This enables caching and concurrency safe credential access. If you explicitly configure a provider on aws.Config directly you must explicitly wrap the provider with this type using [NewCredentialsCache](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws#NewCredentialsCache). **Link to tracking Issue:** N/A **Testing:** N/A
open-telemetry · Apr 16, 2024 · 8dce114 · 8dce114
1 parent 4501d0f
commit 8dce114
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/.chloggen/awskinesis_cached-credentials.yaml b/.chloggen/awskinesis_cached-credentials.yaml
@@ -0,0 +1,6 @@
+change_type: bug_fix
+component: awskinesisexporter
+note: Wraps the `AssumeRoleProvider` in a `CachedCredentials` provider, in the case the AWS role is specified. This prevents a role assumption from happening every API call.
+issues: [32415]
+subtext:
+change_logs: [user]
diff --git a/exporter/awskinesisexporter/exporter.go b/exporter/awskinesisexporter/exporter.go
@@ -65,10 +65,11 @@ func createExporter(ctx context.Context, c component.Config, log *zap.Logger, op
 	var kinesisOpts []func(*kinesis.Options)
 	if conf.AWS.Role != "" {
 		kinesisOpts = append(kinesisOpts, func(o *kinesis.Options) {
-			o.Credentials = stscreds.NewAssumeRoleProvider(
+			roleProvider := stscreds.NewAssumeRoleProvider(
 				sts.NewFromConfig(awsconf),
 				conf.AWS.Role,
 			)
+			o.Credentials = aws.NewCredentialsCache(roleProvider)
 		})
 	}
 

diff --git a/exporter/awskinesisexporter/exporter_test.go b/exporter/awskinesisexporter/exporter_test.go
@@ -46,6 +46,7 @@ func TestCreatingExporter(t *testing.T) {
 			conf: applyConfigChanges(func(conf *Config) {
 				conf.AWS.StreamName = "example-test"
 				conf.AWS.Region = "us-east-1"
+				conf.AWS.Role = "example-role"
 			}),
 			validateNew: func(tb testing.TB) func(conf aws.Config, opts ...func(*kinesis.Options)) *kinesis.Client {
 				return func(conf aws.Config, opts ...func(*kinesis.Options)) *kinesis.Client {