feat: Support credentials provider name for BedrockAgentCore Identity (#534)

*Description of changes:*
Bedrock AgentCore data plane calls do not provide credential ARNs but
instead provide credential provider names (see
[GetResourceOauth2Token](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/API_GetResourceOauth2Token.html#API_GetResourceOauth2Token_RequestSyntax)
and
[GetResourceApiKey](https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/API_GetResourceApiKey.html)).

This PR adds logic to also handle names for credential providers.

- Renamed `AWS_AUTH_CREDENTIAL_PROVIDER_ARN` to
`AWS_AUTH_CREDENTIAL_PROVIDER` to support both ARN and name formats
- Added mapping for `resourceCredentialProviderName` field in
BedrockAgentCore patch
- Enhanced credential provider type detection logic to handle name-only
identifiers using RPC method context
- Added tests for both ARN and name-based credential provider scenarios


```
{
    "name": "Bedrock AgentCore.GetResourceOauth2Token",
    "context": {
        "trace_id": "0x690c16ee2f248a4e86e5c13e2e626e20",
        "span_id": "0x1ed2e8bf53fa45fd",
        "trace_state": "[]"
    },
    "kind": "SpanKind.CLIENT",
    "parent_id": "0x914729048ec3381b",
    "start_time": "2025-11-06T03:33:02.736876Z",
    "end_time": "2025-11-06T03:33:02.739796Z",
    "status": {
        "status_code": "OK",
    },
    "attributes": {
        "rpc.system": "aws-api",
        "rpc.service": "Bedrock AgentCore",
        "rpc.method": "GetResourceOauth2Token",
        "aws.region": "us-east-1",
        "server.address": "bedrock-agentcore.us-east-1.amazonaws.com",
        "server.port": 443,
        "aws.auth.region": "us-east-1",
        "aws.auth.account.access_key": "[REDACTED]",
        "aws.auth.credential_provider": "test-oauth2-provider",
        "aws.local.operation": "GET /server_request",
        "aws.local.service": "UnknownService",
        "aws.remote.service": "AWS::BedrockAgentCore",
        "aws.remote.operation": "GetResourceOauth2Token",
        "aws.remote.resource.type": "AWS::BedrockAgentCore::OAuth2CredentialProvider",
        "aws.remote.resource.identifier": "test-oauth2-provider",
        "aws.remote.resource.cfn.primary.identifier": "test-oauth2-provider",
        "aws.remote.resource.account.access_key": "[REDACTED]",
        "aws.remote.resource.region": "us-east-1",
        "aws.span.kind": "CLIENT"
    },
    "links": [],
    "resource": {
        "attributes": {
            "telemetry.sdk.language": "python",
            "telemetry.sdk.name": "opentelemetry",
            "telemetry.sdk.version": "1.37.0",
            "service.name": "unknown_service",
            "telemetry.auto.version": "0.13.0.dev0-aws",
            "aws.local.service": "UnknownService"
        },
        "schema_url": ""
    }
}


```


```
{
    "name": "Bedrock AgentCore.GetResourceApiKey",
    "context": {
        "trace_id": "0x690c1776b6a22c4ac0d6cb9315a4b730",
        "span_id": "0x036b363af6af6695",
        "trace_state": "[]"
    },
    "kind": "SpanKind.CLIENT",
    "parent_id": "0xb4c143957c6cb110",
    "start_time": "2025-11-06T03:35:18.490547Z",
    "end_time": "2025-11-06T03:35:18.628436Z",
    "status": {
        "status_code": "OK"
    },
    "attributes": {
        "rpc.system": "aws-api",
        "rpc.service": "Bedrock AgentCore",
        "rpc.method": "GetResourceApiKey",
        "aws.region": "us-east-1",
        "server.address": "bedrock-agentcore.us-east-1.amazonaws.com",
        "server.port": 443,
        "aws.auth.region": "us-east-1",
        "aws.auth.account.access_key": "[REDACTED]",
        "aws.auth.credential_provider": "test-api-key-provider",
        "aws.local.operation": "GET /server_request",
        "aws.request_id": "5c0130a2-d29e-468a-abd4-86c73ff13f98",
        "retry_attempts": 0,
        "http.status_code": 200,
        "aws.local.service": "UnknownService",
        "aws.remote.service": "AWS::BedrockAgentCore",
        "aws.remote.operation": "GetResourceApiKey",
        "aws.remote.resource.type": "AWS::BedrockAgentCore::APIKeyCredentialProvider",
        "aws.remote.resource.identifier": "test-api-key-provider",
        "aws.remote.resource.cfn.primary.identifier": "test-api-key-provider",
        "aws.remote.resource.account.access_key": "[REDACTED]",
        "aws.remote.resource.region": "us-east-1",
        "aws.span.kind": "CLIENT"
    },
    "links": [],
    "resource": {
        "attributes": {
            "telemetry.sdk.language": "python",
            "telemetry.sdk.name": "opentelemetry",
            "telemetry.sdk.version": "1.37.0",
            "service.name": "unknown_service",
            "telemetry.auto.version": "0.13.0.dev0-aws",
            "aws.local.service": "UnknownService"
        },
        "schema_url": ""
    }
}


```



By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Author: liustve

CHANGELOG.md

@@ -25,4 +25,6 @@ If your change does not need a CHANGELOG entry, add the "skip changelog" label t
   ([#522](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/522))
 - Bump ADOT Python version to 0.13.0 and OTel dependencies to 1.37.0/0.58b0
   ([#524](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/524))
+- Support credentials provider name for BedrockAgentCore Identity
+  ([#534](https://github.com/aws-observability/aws-otel-python-instrumentation/pull/534))
 

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/_aws_attribute_keys.py

@@ -20,7 +20,7 @@
 # TODO：Move to Semantic Conventions when these attributes are added.
 AWS_AUTH_ACCESS_KEY: str = "aws.auth.account.access_key"
 AWS_AUTH_REGION: str = "aws.auth.region"
-AWS_AUTH_CREDENTIAL_PROVIDER_ARN: str = "aws.auth.credential_provider.arn"
+AWS_AUTH_CREDENTIAL_PROVIDER: str = "aws.auth.credential_provider"
 AWS_GATEWAY_TARGET_ID = "aws.gateway.target.id"
 AWS_SQS_QUEUE_URL: str = "aws.sqs.queue.url"
 AWS_SQS_QUEUE_NAME: str = "aws.sqs.queue.name"

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/_aws_metric_attribute_generator.py

@@ -8,7 +8,7 @@
 
 from amazon.opentelemetry.distro._aws_attribute_keys import (
     AWS_AUTH_ACCESS_KEY,
-    AWS_AUTH_CREDENTIAL_PROVIDER_ARN,
+    AWS_AUTH_CREDENTIAL_PROVIDER,
     AWS_AUTH_REGION,
     AWS_BEDROCK_AGENT_ID,
     AWS_BEDROCK_AGENTCORE_BROWSER_ARN,
@@ -741,7 +741,9 @@ def _handle_browser_attrs(attrs: BoundedAttributes) -> tuple[Optional[str], Opti
         if browser_id:
             agentcore_cfn_identifier = str(browser_id)
         elif browser_arn:
-            agentcore_cfn_identifier = extract_bedrock_agentcore_resource_id_from_arn(str(browser_arn))
+            agentcore_cfn_identifier = RegionalResourceArnParser.extract_bedrock_agentcore_resource_id_from_arn(
+                str(browser_arn)
+            )
 
         # Uses browser ID as both resource identifier and CFN primary identifier.
         # aws.browser.v1 is a managed AWS resource, custom IDs are user-defined resources.
@@ -763,7 +765,9 @@ def _handle_gateway_attrs(attrs: BoundedAttributes) -> tuple[Optional[str], Opti
         if gateway_id:
             agentcore_cfn_identifier = str(gateway_id)
         elif gateway_arn:
-            agentcore_cfn_identifier = extract_bedrock_agentcore_resource_id_from_arn(str(gateway_arn))
+            agentcore_cfn_identifier = RegionalResourceArnParser.extract_bedrock_agentcore_resource_id_from_arn(
+                str(gateway_arn)
+            )
         else:
             agentcore_cfn_identifier = str(gateway_target_id)
 
@@ -778,7 +782,9 @@ def _handle_gateway_attrs(attrs: BoundedAttributes) -> tuple[Optional[str], Opti
         if gateway_id:
             agentcore_cfn_identifier = str(gateway_id)
         elif gateway_arn:
-            agentcore_cfn_identifier = extract_bedrock_agentcore_resource_id_from_arn(str(gateway_arn))
+            agentcore_cfn_identifier = RegionalResourceArnParser.extract_bedrock_agentcore_resource_id_from_arn(
+                str(gateway_arn)
+            )
 
         # Uses gateway ID as both resource identifier and CFN primary identifier.
         # If gateway ID is not available, extract it from the gateway ARN.
@@ -797,7 +803,9 @@ def _handle_runtime_attrs(attrs: BoundedAttributes) -> tuple[Optional[str], Opti
     runtime_endpoint_arn = attrs.get(AWS_BEDROCK_AGENTCORE_RUNTIME_ENDPOINT_ARN)
 
     if runtime_endpoint_arn:
-        agentcore_cfn_identifier = extract_bedrock_agentcore_resource_id_from_arn(str(runtime_endpoint_arn))
+        agentcore_cfn_identifier = RegionalResourceArnParser.extract_bedrock_agentcore_resource_id_from_arn(
+            str(runtime_endpoint_arn)
+        )
 
         # Uses extracted ID as resource identifier and full ARN as CFN primary identifier.
         return "RuntimeEndpoint", agentcore_cfn_identifier, str(runtime_endpoint_arn)
@@ -807,7 +815,9 @@ def _handle_runtime_attrs(attrs: BoundedAttributes) -> tuple[Optional[str], Opti
         if runtime_id:
             agentcore_cfn_identifier = str(runtime_id)
         elif runtime_arn:
-            agentcore_cfn_identifier = extract_bedrock_agentcore_resource_id_from_arn(str(runtime_arn))
+            agentcore_cfn_identifier = RegionalResourceArnParser.extract_bedrock_agentcore_resource_id_from_arn(
+                str(runtime_arn)
+            )
 
         # Uses runtime ID as both resource identifier and CFN primary identifier.
         # If runtime ID is not available, extract it from the runtime ARN.
@@ -829,7 +839,9 @@ def _handle_code_interpreter_attrs(attrs: BoundedAttributes) -> tuple[Optional[s
         if code_interpreter_id:
             agentcore_cfn_identifier = str(code_interpreter_id)
         elif code_interpreter_arn:
-            agentcore_cfn_identifier = extract_bedrock_agentcore_resource_id_from_arn(str(code_interpreter_arn))
+            agentcore_cfn_identifier = RegionalResourceArnParser.extract_bedrock_agentcore_resource_id_from_arn(
+                str(code_interpreter_arn)
+            )
 
         # Uses code interpreter ID as both resource identifier and CFN primary identifier.
         # aws.codeinterpreter.v1 is a managed AWS resource, custom IDs are user-defined resources.
@@ -844,22 +856,33 @@ def _handle_code_interpreter_attrs(attrs: BoundedAttributes) -> tuple[Optional[s
 def _handle_identity_attrs(attrs: BoundedAttributes) -> tuple[Optional[str], Optional[str], Optional[str]]:
     """
     Handler for BedrockAgentCore Identity resources.
-    Returns (resource_type, resource_identifier, cfn_primary_identifier).
     """
-    credential_arn = attrs.get(AWS_AUTH_CREDENTIAL_PROVIDER_ARN)
+    credentials_provider = attrs.get(AWS_AUTH_CREDENTIAL_PROVIDER)
+    rpc_method = attrs.get(_RPC_METHOD)
 
-    if credential_arn:
-        credential_arn_str = str(credential_arn)
+    if credentials_provider and rpc_method:
+        credentials_provider_str = str(credentials_provider)
+        rpc_method_str = str(rpc_method).lower()
         resource_type = None
-        if "apikeycredentialprovider" in credential_arn_str:
+
+        # Determine the credential provider type from the RPC method.
+        # The credential provider can be either an ARN or a name. While ARNs contain
+        # type information, names do not, so we infer the type from the API operation.
+        if "apikey" in rpc_method_str:
             resource_type = "APIKeyCredentialProvider"
-        elif "oauth2credentialprovider" in credential_arn_str:
+        elif "oauth2" in rpc_method_str:
             resource_type = "OAuth2CredentialProvider"
-        agentcore_cfn_identifier = extract_bedrock_agentcore_resource_id_from_arn(credential_arn_str)
 
-        # Uses extracted ID from credential ARN as both resource identifier and CFN primary identifier.
-        # Resource type is determined by credential provider type in the ARN.
-        return resource_type, agentcore_cfn_identifier, agentcore_cfn_identifier
+        if resource_type:
+            # CFN identifier is the credentials provider name.
+            # If the credentials provider is an ARN, we extract the name from the ARN.
+            agentcore_cfn_identifier = (
+                RegionalResourceArnParser.extract_bedrock_agentcore_resource_id_from_arn(credentials_provider_str)
+                or credentials_provider_str
+            )
+
+            # Uses credential name as both resource identifier and CFN primary identifier.
+            return resource_type, agentcore_cfn_identifier, agentcore_cfn_identifier
 
     return None, None, None
 
@@ -878,8 +901,9 @@ def _handle_memory_attrs(attrs: BoundedAttributes) -> tuple[Optional[str], Optio
         if memory_id:
             agentcore_cfn_identifier = str(memory_id)
         if memory_arn:
-            agentcore_cfn_identifier = agentcore_cfn_identifier or extract_bedrock_agentcore_resource_id_from_arn(
-                str(memory_arn)
+            agentcore_cfn_identifier = (
+                agentcore_cfn_identifier
+                or RegionalResourceArnParser.extract_bedrock_agentcore_resource_id_from_arn(str(memory_arn))
             )
             agentcore_cfn_primary_identifier = str(memory_arn)
 
@@ -890,14 +914,6 @@ def _handle_memory_attrs(attrs: BoundedAttributes) -> tuple[Optional[str], Optio
     return None, None, None
 
 
-def extract_bedrock_agentcore_resource_id_from_arn(arn: str) -> Optional[str]:
-    """Extract resource ID from ARN resource part."""
-    resource_part = RegionalResourceArnParser.extract_resource_name_from_arn(arn)
-    if not resource_part:
-        return None
-    return resource_part.split("/")[-1] if "/" in resource_part else resource_part
-
-
 def _log_unknown_attribute(attribute_key: str, span: ReadableSpan) -> None:
     message: str = "No valid %s value found for %s span %s"
     if _logger.isEnabledFor(DEBUG):

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/patches/_bedrock_agentcore_patches.py

@@ -3,7 +3,7 @@
 from typing import Any, Dict
 
 from amazon.opentelemetry.distro._aws_attribute_keys import (
-    AWS_AUTH_CREDENTIAL_PROVIDER_ARN,
+    AWS_AUTH_CREDENTIAL_PROVIDER,
     AWS_BEDROCK_AGENTCORE_BROWSER_ARN,
     AWS_BEDROCK_AGENTCORE_CODE_INTERPRETER_ARN,
     AWS_BEDROCK_AGENTCORE_GATEWAY_ARN,
@@ -46,7 +46,8 @@
     "memory.arn": AWS_BEDROCK_AGENTCORE_MEMORY_ARN,
     "memory.id": GEN_AI_MEMORY_ID,
     "memoryId": GEN_AI_MEMORY_ID,
-    "credentialProviderArn": AWS_AUTH_CREDENTIAL_PROVIDER_ARN,
+    "credentialProviderArn": AWS_AUTH_CREDENTIAL_PROVIDER,
+    "resourceCredentialProviderName": AWS_AUTH_CREDENTIAL_PROVIDER,
     "workloadIdentityArn": AWS_BEDROCK_AGENTCORE_WORKLOAD_IDENTITY_ARN,
     "workloadIdentityDetails.workloadIdentityArn": AWS_BEDROCK_AGENTCORE_WORKLOAD_IDENTITY_ARN,
 }

aws-opentelemetry-distro/src/amazon/opentelemetry/distro/regional_resource_arn_parser.py

@@ -8,32 +8,41 @@
 class RegionalResourceArnParser:
     @staticmethod
     def get_account_id(arn: str) -> Optional[str]:
-        parts = _get_arn_parts(arn)
+        parts = RegionalResourceArnParser._get_arn_parts(arn)
         return parts[4] if parts else None
 
     @staticmethod
     def get_region(arn: str) -> Optional[str]:
-        parts = _get_arn_parts(arn)
+        parts = RegionalResourceArnParser._get_arn_parts(arn)
         return parts[3] if parts else None
 
     @staticmethod
     def extract_dynamodb_table_name_from_arn(arn: str) -> Optional[str]:
-        parts = _get_arn_parts(arn)
+        parts = RegionalResourceArnParser._get_arn_parts(arn)
         return parts[-1].replace("table/", "") if parts else None
 
     @staticmethod
     def extract_kinesis_stream_name_from_arn(arn: str) -> Optional[str]:
-        parts = _get_arn_parts(arn)
+        parts = RegionalResourceArnParser._get_arn_parts(arn)
         return parts[-1].replace("stream/", "") if parts else None
 
     @staticmethod
-    def extract_resource_name_from_arn(arn: str) -> Optional[str]:
-        parts = _get_arn_parts(arn)
+    def extract_bedrock_agentcore_resource_id_from_arn(arn: str) -> Optional[str]:
+        """Extract resource ID from ARN resource part."""
+        resource_part = RegionalResourceArnParser.extract_resource_name_from_arn(arn)
+        if resource_part is None:
+            return None
+        parts = resource_part.split("/")
         return parts[-1] if parts else None
 
+    @staticmethod
+    def extract_resource_name_from_arn(arn: str) -> Optional[str]:
+        parts = RegionalResourceArnParser._get_arn_parts(arn)
+        return parts[-1] if parts else None
 
-def _get_arn_parts(arn: str) -> Optional[list]:
-    if not arn or not arn.startswith("arn"):
-        return None
-    parts = arn.split(":")
-    return parts if len(parts) >= 6 and is_account_id(parts[4]) else None
+    @staticmethod
+    def _get_arn_parts(arn: str) -> Optional[list]:
+        if not arn or not arn.startswith("arn"):
+            return None
+        parts = arn.split(":")
+        return parts if len(parts) >= 6 and is_account_id(parts[4]) else None

aws-opentelemetry-distro/tests/amazon/opentelemetry/distro/patches/test_instrumentation_patch.py

@@ -8,7 +8,7 @@
 import opentelemetry.sdk.extension.aws.resource.ec2 as ec2_resource
 import opentelemetry.sdk.extension.aws.resource.eks as eks_resource
 from amazon.opentelemetry.distro._aws_attribute_keys import (
-    AWS_AUTH_CREDENTIAL_PROVIDER_ARN,
+    AWS_AUTH_CREDENTIAL_PROVIDER,
     AWS_BEDROCK_AGENTCORE_BROWSER_ARN,
     AWS_BEDROCK_AGENTCORE_CODE_INTERPRETER_ARN,
     AWS_BEDROCK_AGENTCORE_GATEWAY_ARN,
@@ -67,6 +67,7 @@
 _AGENTCORE_CREDENTIAL_PROVIDER_ARN: str = (
     "arn:aws:acps:us-east-1:123456789012:token-vault/test-vault/apikeycredentialprovider/test-provider"
 )
+_AGENTCORE_CREDENTIAL_PROVIDER_NAME: str = "test-oauth2-provider-123"
 _AGENTCORE_WORKLOAD_IDENTITY_ARN: str = "arn:aws:bedrock-agentcore:us-east-1:123456789012:workload-identity/test-wi"
 
 # Patch names
@@ -266,14 +267,24 @@ def _test_patched_botocore_instrumentation(self):
             AWS_GATEWAY_TARGET_ID: _AGENTCORE_TARGET_ID,
             GEN_AI_MEMORY_ID: _AGENTCORE_MEMORY_ID,
             AWS_BEDROCK_AGENTCORE_MEMORY_ARN: _AGENTCORE_MEMORY_ARN,
-            AWS_AUTH_CREDENTIAL_PROVIDER_ARN: _AGENTCORE_CREDENTIAL_PROVIDER_ARN,
+            AWS_AUTH_CREDENTIAL_PROVIDER: _AGENTCORE_CREDENTIAL_PROVIDER_ARN,
             AWS_BEDROCK_AGENTCORE_WORKLOAD_IDENTITY_ARN: _AGENTCORE_WORKLOAD_IDENTITY_ARN,
         }
 
         for attr_key, expected_value in expected_attrs.items():
             self.assertEqual(bedrock_agentcore_attributes[attr_key], expected_value)
             self.assertEqual(bedrock_agentcore_success_attributes[attr_key], expected_value)
 
+        # Test resourceCredentialProviderName
+        name_attrs = _do_extract_attributes(
+            "bedrock-agentcore", {"resourceCredentialProviderName": _AGENTCORE_CREDENTIAL_PROVIDER_NAME}
+        )
+        name_success_attrs = _do_on_success(
+            "bedrock-agentcore", {"resourceCredentialProviderName": _AGENTCORE_CREDENTIAL_PROVIDER_NAME}
+        )
+        self.assertEqual(name_attrs[AWS_AUTH_CREDENTIAL_PROVIDER], _AGENTCORE_CREDENTIAL_PROVIDER_NAME)
+        self.assertEqual(name_success_attrs[AWS_AUTH_CREDENTIAL_PROVIDER], _AGENTCORE_CREDENTIAL_PROVIDER_NAME)
+
         # BedrockRuntime
         self.assertTrue("bedrock-runtime" in _KNOWN_EXTENSIONS)