aws-iam-authenticator icon indicating copy to clipboard operation
aws-iam-authenticator copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

feat: add support for metrics to track sts calls made to disabled reg…

Open dheeraj-coding opened this issue 3 months ago • 5 comments

What this PR does / why we need it: authentication token is composed of a presigned URL to an STS endpoint. This sts endpoint is simply curled to verify token. There is a possibility that a token from account A with supported regions as HKG, can request authentication against a cluster in account B opted into TLV region. This behavior breaks data regionalization principle tenets, we must add validations to fail such requests automatically, but this change would be a breaking change to ensure we enforce this behavior in a soft manner we want to track the different number of requests that perform this invalid cross region calls. This PR contains changes necessary to add a new prometheus metric for such cross region calls.

Testing

[root@ip-172-16-190-132 bin]# curl --insecure https://127.0.0.1:21362/metrics | grep sts
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0# HELP aws_iam_authenticator_sts_disabled_region_call Number of STS calls made to regions that are disabled / disabling
# TYPE aws_iam_authenticator_sts_disabled_region_call counter
aws_iam_authenticator_sts_disabled_region_call 0
# HELP aws_iam_authenticator_sts_responses_total Sts responses with error code label
# TYPE aws_iam_authenticator_sts_responses_total counter
aws_iam_authenticator_sts_responses_total{ResponseCode="200",StsRegion="global"} 1
aws_iam_authenticator_sts_responses_total{ResponseCode="200",StsRegion="us-west-2"} 4
100 11632    0 11632    0     0  1187k      0 --:--:-- --:--:-- --:--:-- 1262k
# HELP promhttp_metric_handler_requests_in_flight Current number of scrapes being served.
# TYPE promhttp_metric_handler_requests_in_flight gauge
promhttp_metric_handler_requests_in_flight 1
# HELP promhttp_metric_handler_requests_total Total number of scrapes by HTTP status code.
# TYPE promhttp_metric_handler_requests_total counter
promhttp_metric_handler_requests_total{code="200"} 67
promhttp_metric_handler_requests_total{code="500"} 0
promhttp_metric_handler_requests_total{code="503"} 0

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged): Fixes #

dheeraj-coding avatar Aug 28 '25 04:08 dheeraj-coding