oscerd opened a new pull request, #23077: URL: https://github.com/apache/camel/pull/23077
## Summary Fourth batch of AWS span decorators for `camel-telemetry`. Continues the work from #23038, #23040 and #23045 by covering the **Security & Identity** group: identity (STS, IAM), secrets/configuration storage (Secrets Manager, Parameter Store), and compliance/security findings (Security Hub, Config). JIRA: [CAMEL-23387](https://issues.apache.org/jira/browse/CAMEL-23387) — _the JIRA stays open; remaining AWS components (AI/ML and Compute) will land in subsequent PRs._ ## Changes New `SpanDecorator` implementations under `org.apache.camel.telemetry.decorators`: - **`AwsStsSpanDecorator`** (`aws2-sts`) — Security Token Service. Tags: `operation`, `roleArn`, `roleSessionName`, `federatedName`. Output credentials (access keys, session token, expiration) are intentionally not surfaced as span tags. - **`AwsIamSpanDecorator`** (`aws2-iam`) — Identity & Access Management. Tags: `operation`, `userName`, `groupName`, `roleName`, `policyName`. ARNs/IDs (output) and policy documents are not exposed. - **`AwsSecretsManagerSpanDecorator`** (`aws-secrets-manager`) — Secrets Manager. Tags: `operation`, `secretId`, `secretName`. Secret values, rotation lambda ARNs and version IDs are not surfaced. - **`AwsParameterStoreSpanDecorator`** (`aws-parameter-store`) — Systems Manager Parameter Store. Tags: `operation`, `parameterName`, `parameterPath`. Parameter values are intentionally **not** emitted (SecureString values would leak secrets to observability backends), and KMS key IDs are skipped. - **`AwsSecurityHubSpanDecorator`** (`aws-security-hub`) — Security Hub findings. Tags: `operation`, `findingId`, `productArn`. Bulk request payloads (findings lists, filters, severity updates) are not surfaced. - **`AwsConfigSpanDecorator`** (`aws-config`) — AWS Config rules and conformance packs. Tags: `operation`, `ruleName`, `ruleSourceIdentifier`, `conformancePackName`. Conformance pack template bodies are not surfaced. All six decorators extend `AbstractSpanDecorator` (these are producer-only management APIs) and are registered alphabetically in `META-INF/services/org.apache.camel.telemetry.SpanDecorator`. Unit tests cover header-to-tag extraction for each decorator. Header constants are mirrored from each component's `*Constants` interface (with a Javadoc reference back to the source), matching the convention already used by previous batches and `AzureServiceBusSpanDecorator`. This avoids creating hard dependencies from `camel-telemetry` to the AWS component modules. ### Tag selection rationale Across this batch the selected tag surface follows two consistent rules: 1. **Never emit values that may contain secrets** — parameter values (SSM SecureString), secret values (Secrets Manager), policy documents (IAM), STS temporary credentials, conformance pack template bodies (Config). These would leak credentials/PII into observability backends. 2. **Prefer the request _target_ over the response payload** — i.e. tag `secretId`, `parameterName`, `userName`, `roleName`, `findingId` etc. Output ARNs/IDs and bulk response payloads are not tagged because they are response-shaped. This mirrors the minimization choice already applied in batch 3 (dropping `keyId` from KMS and `username` from CloudTrail). ## Test plan - [x] `mvn test` in `components/camel-telemetry` passes (121 tests, including 34 AWS decorator tests covering 26 components total) - [x] Module-specific build (`mvn -DskipTests install`) succeeds - [x] No code style or formatter changes required ## Coverage so far on CAMEL-23387 | Batch | PR | Components | |---|---|---| | 1 | #23038 (merged) | SQS, SNS, Kinesis, S3 | | 2 | #23040 (merged) | DDB, DDB Streams, Lambda, EventBridge, SES, MQ, Kinesis Firehose, Bedrock | | 3 | #23045 (merged) | Athena, CloudWatch, KMS, MSK, Step Functions, Timestream, Redshift Data, CloudTrail | | 4 | this PR | STS, IAM, Secrets Manager, Parameter Store, Security Hub, Config | ## Follow-ups still pending - **AI/ML components**: Polly, Rekognition, Textract, Transcribe, Translate, Comprehend, S3 Vectors — to be added in a subsequent PR. - **Compute & Tracing components**: EC2, ECS, EKS, X-Ray — to be added in a subsequent PR. - **Google Cloud decorators** (mentioned in CAMEL-23387's description) — separate scope discussion / separate JIRA. --- _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
