Bug
When the AWS integration is configured with IAM user credentials (env AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY, or a stored access_key_id / secret_access_key on the integration — i.e. no role_arn, no injected _backend), opensre investigate on a Kubernetes alert produces zero EKS tools in the plan. EKS pods / events / nodes are silently not investigated even when cluster_name is present in the alert annotations and the credentials work for STS / EKS directly.
Environment
- Commit:
main (reproduced on current HEAD as of 2026-04-21, also present in 0.x releases)
- Python: 3.12
- AWS integration: configured via
opensre onboarding aws, choosing "access key / secret" (no role ARN), or via env AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_REGION.
Reproduction
-
Configure AWS integration with IAM user credentials, no role_arn:
opensre onboarding aws
# enter access key / secret / region, skip role ARN
-
Run investigate on a Kubernetes alert with cluster_name set:
opensre investigate -i tests/e2e/kubernetes/fixtures/datadog_k8s_alert.json
-
Expected: EKS appears in the detected sources; pods / events / node-health tools are planned.
-
Actual: EKS is silently skipped — the plan contains no EKS tools.
Root cause
app/integrations/catalog.py::resolve_integrations already lifts IAM-user credentials into _eks_int["credentials"] (around L229-L235). But app/nodes/plan_actions/detect_sources.py only checks _eks_int.get("role_arn") or an injected _backend before entering the EKS branch (L660):
_eks_int = (resolved_integrations or {}).get("aws")
_has_injected_eks_backend = bool(_eks_int and "_backend" in _eks_int)
if _eks_int and (_eks_int.get("role_arn") or _has_injected_eks_backend):
... # EKS branchIAM-user integrations have neither role_arn nor _backend, so the EKS branch is skipped entirely — even though credentials are present and valid.
This gate is the only remaining site that forgets credentials; other gates already include it correctly:
app/integrations/models.py::_require_auth_method — self.role_arn or self.credentials ✔app/integrations/verify.py::_build_sts_client — if role_arn: ... else credentials branch ✔app/cli/wizard/integration_health.py — same two-branch pattern ✔
Proposed fix
Accept _eks_int.get("credentials") as a third way to gate the EKS branch. Downstream code (L693) already tolerates an empty role_arn via _eks_int.get("role_arn", ""), so no other change is required at the planning layer.
if _eks_int and (
_eks_int.get("role_arn") or _has_injected_eks_backend or _eks_int.get("credentials")
):
...This is a strict superset of the existing behaviour: every integration previously accepted is still accepted. The new branch only activates for integrations that already carry a credentials dict produced by catalog.resolve_integrations.
Related
The k8s client that actually consumes these credentials also needs to learn to honour them (it currently calls _assume_role unconditionally with an empty RoleArn). That is a separate follow-up bug; I will open a second issue + PR for it that Depends on this one.
Offer to fix
I have a fix ready (one-line change in detect_sources.py, plus ruff format); happy to open a PR referencing this issue. Tested locally with ruff check, ruff format --check, and py_compile.
Bug
When the AWS integration is configured with IAM user credentials (env
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, or a storedaccess_key_id/secret_access_keyon the integration — i.e. norole_arn, no injected_backend),opensre investigateon a Kubernetes alert produces zero EKS tools in the plan. EKS pods / events / nodes are silently not investigated even whencluster_nameis present in the alert annotations and the credentials work for STS / EKS directly.Environment
main(reproduced on current HEAD as of 2026-04-21, also present in 0.x releases)opensre onboarding aws, choosing "access key / secret" (no role ARN), or via envAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_REGION.Reproduction
Configure AWS integration with IAM user credentials, no role_arn:
opensre onboarding aws # enter access key / secret / region, skip role ARNRun investigate on a Kubernetes alert with
cluster_nameset:Expected: EKS appears in the detected sources; pods / events / node-health tools are planned.
Actual: EKS is silently skipped — the plan contains no EKS tools.
Root cause
app/integrations/catalog.py::resolve_integrationsalready lifts IAM-user credentials into_eks_int["credentials"](around L229-L235). Butapp/nodes/plan_actions/detect_sources.pyonly checks_eks_int.get("role_arn")or an injected_backendbefore entering the EKS branch (L660):IAM-user integrations have neither
role_arnnor_backend, so the EKS branch is skipped entirely — even thoughcredentialsare present and valid.This gate is the only remaining site that forgets
credentials; other gates already include it correctly:app/integrations/models.py::_require_auth_method—self.role_arn or self.credentials✔app/integrations/verify.py::_build_sts_client—if role_arn: ... else credentials branch✔app/cli/wizard/integration_health.py— same two-branch pattern ✔Proposed fix
Accept
_eks_int.get("credentials")as a third way to gate the EKS branch. Downstream code (L693) already tolerates an emptyrole_arnvia_eks_int.get("role_arn", ""), so no other change is required at the planning layer.This is a strict superset of the existing behaviour: every integration previously accepted is still accepted. The new branch only activates for integrations that already carry a
credentialsdict produced bycatalog.resolve_integrations.Related
The k8s client that actually consumes these credentials also needs to learn to honour them (it currently calls
_assume_roleunconditionally with an emptyRoleArn). That is a separate follow-up bug; I will open a second issue + PR for it thatDepends onthis one.Offer to fix
I have a fix ready (one-line change in
detect_sources.py, plusruff format); happy to open a PR referencing this issue. Tested locally withruff check,ruff format --check, andpy_compile.