Skip to content

aws/config: validate credentials before SigV4 signing#18333

Merged
kcreddy merged 4 commits intoelastic:mainfrom
kcreddy:aws.config-static-creds
Apr 17, 2026
Merged

aws/config: validate credentials before SigV4 signing#18333
kcreddy merged 4 commits intoelastic:mainfrom
kcreddy:aws.config-static-creds

Conversation

@kcreddy
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy commented Apr 10, 2026
edited
Loading

Proposed commit message

aws/config: validate credentials before SigV4 signing

The AWS Config CEL program accesses state.secret_key and
state.access_key without guards. When a user configures the
integration with Role ARN or no credentials (both valid for other
AWS data streams), the program crashes with the unhelpful error
"no such key: secret_key".

Add a credential check at the top of the CEL program that detects
missing or empty access_key_id / secret_access_key and returns a
clear error explaining that static credentials are required and
Role ARN is not supported for this data stream. The check uses
optional field access (state.?secret_key.orValue("")) to handle
both absent and empty-string cases safely.

Update the data stream docs and manifest description to state the
Role ARN limitation upfront. Add a script test that verifies the
error message is emitted when credentials are missing.

Fixes #18332

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Script tests run sucessfully

# Test that the AWS Config data stream emits a clear error event when
# access_key_id and secret_access_key are not provided. (41.941s)
# The credential check fires before any HTTP request, so exactly one error
# event should be indexed per evaluation cycle. Wait for at least 1. (8.027s)
# Verify the error message names the missing credentials. (0.039s)
# Verify no data events were produced — only error events. (0.023s)
# Clean up. (12.967s)
PASS

--- Test results for package: aws - START ---
╭─────────┬─────────────┬───────────┬─────────────────────┬────────┬────────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME           │ RESULT │   TIME ELAPSED │
├─────────┼─────────────┼───────────┼─────────────────────┼────────┼────────────────┤
│ aws     │ config      │ script    │ env                 │ PASS   │    32.725625ms │
│ aws     │ config      │ script    │ missing_credentials │ PASS   │ 1m3.002499542s │
╰─────────┴─────────────┴───────────┴─────────────────────┴────────┴────────────────╯
--- Test results for package: aws - END   ---
Done

Related issues

Screenshots

kcreddy added 2 commits April 10, 2026 18:40
@kcreddy
aws/config: validate credentials before SigV4 signing
215458f 
The AWS Config CEL program accesses state.secret_key and
state.access_key without guards. When a user configures the
integration with Role ARN or no credentials (both valid for other
AWS data streams), the program crashes with the unhelpful error
"no such key: secret_key".

Add a credential check at the top of the CEL program that detects
missing or empty access_key_id / secret_access_key and returns a
clear error explaining that static credentials are required and
Role ARN is not supported for this data stream. The check uses
optional field access (state.?secret_key.orValue("")) to handle
both absent and empty-string cases safely.

Update the data stream docs and manifest description to state the
Role ARN limitation upfront. Add a script test that verifies the
error message is emitted when credentials are missing.

Fixes elastic#18332
@kcreddy
update pr number
da6c965
@kcreddy kcreddy marked this pull request as ready for review April 10, 2026 13:13
@kcreddy kcreddy requested review from a team as code owners April 10, 2026 13:13
@kcreddy kcreddy self-assigned this Apr 10, 2026
@kcreddy kcreddy added Integration:aws AWS bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Apr 10, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 10, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 10, 2026

✅ Vale Linting Results

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 10, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Apr 10, 2026
ShourieG
ShourieG reviewed Apr 17, 2026
View reviewed changes
Comment thread packages/aws/changelog.yml Outdated
Comment thread packages/aws/data_stream/config/agent/stream/cel.yml.hbs Outdated
@kcreddy kcreddy requested a review from ShourieG April 17, 2026 09:46
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 17, 2026

💚 Build Succeeded

History

cc @kcreddy

@kcreddy kcreddy merged commit 925fdb5 into elastic:main Apr 17, 2026
13 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 17, 2026

Package aws - 6.5.1 containing this change is available at https://epr.elastic.co/package/aws/6.5.1/

@efd6
Copy link
Copy Markdown
Contributor

efd6 commented Apr 20, 2026

Note that v8.19.4 and v9.2.1 both have access to AWS SigV4 signing functions which offer env, shared and static credentials.

@kcreddy
Copy link
Copy Markdown
Contributor Author

kcreddy commented Apr 20, 2026

Note that v8.19.4 and v9.2.1 both have access to AWS SigV4 signing functions which offer env, shared and static credentials.

In another discussion #10784 (comment), there was another feature auth.aws (now backported into 8.19: elastic/beats#50141) which can also do this. The idea here was to use this auth.aws once it is available in 8.19.

Is there any preferred method between the two (mito signing functions vs auth.aws)?

@efd6
Copy link
Copy Markdown
Contributor

efd6 commented Apr 20, 2026

I completely forgot about that. The discussion here is good for knowing which. If it was your plan to wait for that, that's fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShourieG ShourieG ShourieG approved these changes

Assignees

@kcreddy kcreddy

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:aws AWS Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[aws] AWS Config: improve error when credentials are missing and clarify Role ARN limitation in docs

5 participants

@kcreddy @elasticmachine @efd6 @ShourieG @andrewkroh