By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

tenant isolation in AWS XRay backend

0

I require support for preserving traces from different teams in Xray with the following attributes. The XRay backend used to store all traces will be provisioned in a single centralized account. Note that applications are integrated with OpenTelemetry libraries and will be submitting traces to XRay using ADOT collector.

  • maintain separate keys, one per team, for encryption of trace data at rest
  • separate IAM roles to provision access of keys and trace data such a team cannot access traces from other teams.
  • maintain separate configurations for sampling rates, rate limits, quotas, etc.

A feasible option for implementing these requirements seems to be using tracing groups. Groups can be created using filter expressions based on certain pre-defined attributes in a trace such as service prefix, unique per team. However, XRay lacks configuring multiple keys for encrypting traces and IAM policies to control read access to traces and service graphs don't support resource level permissions or condition filters. There is also a limit of 25 groups per account. Due to these limitations, we cannot use groups.

Are there alternate approaches for implementing my aforementioned requirements?

Topics
Developer Tools
Tags
AWS X-Ray
Language
English
Sam
asked 2 years ago364 views
1 Answer
0

Good to receive this proposal. Could you clarify the requirement, make sure I understand correctly and see if there is workaround.

The trace data to be separated is from a single application or different applications?

  • If from different applications, the solution is by setup multiple otel collectors with different IAM role/credentials. So trace data can be emitted to different account and use different sampling rules.
  • If from a single application, though I think mostly single application does not make sense, can use filterprocessor to dispatch trace data to different awsxray exporters. The sampling rules have to be in one account because collector supports just one awsproxy extension.
service:
  pipelines:
    traces:
      receivers: [otlp]
      processors: [filterprocessor]
      exporters: [awsxray]
    traces/2:
      receivers: [otlp]
      processors: [filterprocessor/2]
      exporters: [awsxray/2]
AWS
AWS-User-3368379
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content