diff --git a/ddtrace/ext/aws.py b/ddtrace/ext/aws.py index b92fe1045f2..d8f33876ae0 100644 --- a/ddtrace/ext/aws.py +++ b/ddtrace/ext/aws.py @@ -14,6 +14,7 @@ EXCLUDED_ENDPOINT = frozenset({"kms", "sts", "sns", "kinesis", "events"}) EXCLUDED_ENDPOINT_TAGS = { "firehose": frozenset({"params.Records"}), + "secretsmanager": frozenset({"params.SecretString", "params.SecretBinary"}), } diff --git a/releasenotes/notes/fix-botocore-omit-secretstring-secretbinary-743a1780c86db384.yaml b/releasenotes/notes/fix-botocore-omit-secretstring-secretbinary-743a1780c86db384.yaml new file mode 100644 index 00000000000..29d4c105263 --- /dev/null +++ b/releasenotes/notes/fix-botocore-omit-secretstring-secretbinary-743a1780c86db384.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + botocore: omit ``SecretBinary`` and ``SecretString`` from span metadata for calls to Secrets Manager. diff --git a/tests/contrib/botocore/test.py b/tests/contrib/botocore/test.py index 5853b52762c..06c5635f2d1 100644 --- a/tests/contrib/botocore/test.py +++ b/tests/contrib/botocore/test.py @@ -27,6 +27,7 @@ from ddtrace.constants import ANALYTICS_SAMPLE_RATE_KEY from ddtrace.contrib.botocore.patch import patch from ddtrace.contrib.botocore.patch import unpatch +from ddtrace.internal.compat import PY2 from ddtrace.internal.compat import stringify from ddtrace.internal.utils.version import parse_version from ddtrace.propagation.http import HTTP_HEADER_PARENT_ID @@ -1634,3 +1635,53 @@ def test_kinesis_put_records_base64_exceeds_max_size(self): assert "_datadog" not in headers client.delete_stream(StreamName=stream_name) + + @unittest.skipIf(PY2, "Skipping for Python 2.7 since older moto doesn't support secretsmanager") + def test_secretsmanager(self): + from moto import mock_secretsmanager + + with mock_secretsmanager(): + client = self.session.create_client("secretsmanager", region_name="us-east-1") + Pin(service=self.TEST_SERVICE, tracer=self.tracer).onto(client) + + resp = client.create_secret(Name="/my/secrets", SecretString="supersecret-string") + assert resp["ResponseMetadata"]["HTTPStatusCode"] == 200 + + spans = self.get_spans() + assert len(spans) == 1 + span = spans[0] + + assert span.name == "secretsmanager.command" + assert span.resource == "secretsmanager.createsecret" + assert span.get_tag("params.Name") == "/my/secrets" + assert span.get_tag("aws.operation") == "CreateSecret" + assert span.get_tag("aws.region") == "us-east-1" + assert span.get_tag("aws.agent") == "botocore" + assert span.get_tag("http.status_code") == "200" + assert span.get_tag("params.SecretString") is None + assert span.get_tag("params.SecretBinary") is None + + @unittest.skipIf(PY2, "Skipping for Python 2.7 since older moto doesn't support secretsmanager") + def test_secretsmanager_binary(self): + from moto import mock_secretsmanager + + with mock_secretsmanager(): + client = self.session.create_client("secretsmanager", region_name="us-east-1") + Pin(service=self.TEST_SERVICE, tracer=self.tracer).onto(client) + + resp = client.create_secret(Name="/my/secrets", SecretBinary=b"supersecret-binary") + assert resp["ResponseMetadata"]["HTTPStatusCode"] == 200 + + spans = self.get_spans() + assert len(spans) == 1 + span = spans[0] + + assert span.name == "secretsmanager.command" + assert span.resource == "secretsmanager.createsecret" + assert span.get_tag("params.Name") == "/my/secrets" + assert span.get_tag("aws.operation") == "CreateSecret" + assert span.get_tag("aws.region") == "us-east-1" + assert span.get_tag("aws.agent") == "botocore" + assert span.get_tag("http.status_code") == "200" + assert span.get_tag("params.SecretString") is None + assert span.get_tag("params.SecretBinary") is None