fix(eks): detect EKS source when AWS integration uses IAM user credentials

weichao · weichao · commit a907cecd666b · 2026-04-21T07:05:01.000Z
Problem
-------
When the AWS integration is configured with IAM user credentials
(env AK/SK or stored access_key_id/secret_access_key), opensre does
not register EKS as an investigable source. The investigation plan
produces zero EKS tool calls even though a cluster_name is present
in the alert annotations and the credentials would otherwise work.

Reproduction
------------
1. Configure AWS integration with access_key_id/secret_access_key
   (no role_arn, no injected _backend):

       opensre onboarding aws
       # enter access key / secret / region, skip role ARN

2. Run investigate on a kubernetes alert with cluster_name set:

       opensre investigate -i tests/e2e/kubernetes/fixtures/datadog_k8s_alert.json

3. Expected: EKS appears in detected sources and pods/events tools
   are planned.
   Actual: EKS is silently skipped; plan has no EKS tools.

Root Cause
----------
app/integrations/catalog.py (resolve_integrations) already lifts IAM
user credentials into _eks_int["credentials"] (see L229-235), but
detect_sources only checks _eks_int.get("role_arn") or an injected
_backend before entering the EKS branch. IAM-user integrations have
neither, so the branch is skipped entirely.

Fix
---
Accept _eks_int.get("credentials") as a third way to gate the EKS
branch. The downstream code already tolerates an empty role_arn
(L693 uses _eks_int.get("role_arn", "")), so no other change is
required at the planning layer.

The k8s client that actually consumes these credentials still needs
to learn to honour them — that is a separate bug tracked in the
follow-up PR on app/services/eks/eks_k8s_client.py.

Risk / Backward Compatibility
-----------------------------
Strict superset of current behaviour: any integration previously
accepted (role_arn or injected backend) is still accepted. The new
branch only activates for integrations that already carry a
credentials dict produced by catalog.resolve_integrations.
diff --git a/app/nodes/plan_actions/detect_sources.py b/app/nodes/plan_actions/detect_sources.py
@@ -657,7 +657,9 @@ def detect_sources(
     # the role_arn credential gate the same way the Grafana path does.
     _eks_int = (resolved_integrations or {}).get("aws")
     _has_injected_eks_backend = bool(_eks_int and "_backend" in _eks_int)
-    if _eks_int and (_eks_int.get("role_arn") or _has_injected_eks_backend):
+    if _eks_int and (
+        _eks_int.get("role_arn") or _has_injected_eks_backend or _eks_int.get("credentials")
+    ):
         eks_cluster = annotations.get("eks_cluster") or annotations.get("cluster_name")
         # When a backend is injected but the alert omits cluster_name from its
         # annotations, fall back to the first cluster_names entry on the
