Skip to content

Add execution_role_arn setting for two-role EB Scheduler model#2109

Merged
riysaxen-amzn merged 1 commit intoopensearch-project:mainfrom
riysaxen-amzn:feature/eb-scheduler-crud
Apr 29, 2026
Merged

Add execution_role_arn setting for two-role EB Scheduler model#2109
riysaxen-amzn merged 1 commit intoopensearch-project:mainfrom
riysaxen-amzn:feature/eb-scheduler-crud

Conversation

@riysaxen-amzn
Copy link
Copy Markdown
Collaborator

@riysaxen-amzn riysaxen-amzn commented Apr 28, 2026
edited
Loading

Add a separate execution_role_arn setting that specifies the IAM role EventBridge Scheduler assumes when a schedule fires (Target.roleArn). This enables a two-role security model where:

  • role_arn: assumed by the coordinator via STS to manage schedules
  • execution_role_arn: assumed by EB Scheduler to invoke the target

Description

[Describe what this change achieves]

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

eirsep
eirsep reviewed Apr 29, 2026
View reviewed changes
Comment thread alerting/src/main/kotlin/org/opensearch/alerting/service/ExternalSchedulerService.kt Outdated
return Target.builder()
.arn(EB_SQS_UNIVERSAL_TARGET_ARN)
.roleArn(routing.roleArn)
.roleArn(routing.executionRoleArn ?: routing.roleArn)
Copy link
Copy Markdown
Member

@eirsep eirsep Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need this fall back?

eirsep
eirsep reviewed Apr 29, 2026
View reviewed changes
Comment thread alerting/src/main/kotlin/org/opensearch/alerting/settings/AlertingSettings.kt Outdated
Setting.Property.NodeScope, Setting.Property.Dynamic
)

/** IAM role ARN that EventBridge Scheduler assumes at fire time (Target.roleArn). Falls back to role_arn if blank. */
Copy link
Copy Markdown
Member

@eirsep eirsep Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need a fall back. why can't we mandate the setting?

@riysaxen-amzn riysaxen-amzn force-pushed the feature/eb-scheduler-crud branch from 4865235 to 385d9f4 Compare April 29, 2026 00:24
@riysaxen-amzn
Add execution_role_arn setting for two-role EB Scheduler model
3035e12 
Add a separate execution_role_arn setting that specifies the IAM role
EventBridge Scheduler assumes at fire time (Target.roleArn). Both
role_arn and execution_role_arn are required when external scheduler is
enabled — resolve() returns null (skipping EB operations) if either is
blank.

Signed-off-by: Riya Saxena <riysaxen@amazon.com>
@riysaxen-amzn riysaxen-amzn force-pushed the feature/eb-scheduler-crud branch from 385d9f4 to 3035e12 Compare April 29, 2026 00:33
@riysaxen-amzn riysaxen-amzn merged commit 7851bf8 into opensearch-project:main Apr 29, 2026
16 of 23 checks passed
@riysaxen-amzn
Copy link
Copy Markdown
Collaborator Author

riysaxen-amzn commented Apr 29, 2026

Multi node tests were failing due to this flaky test failure

ask :alerting:integTest

MonitorRestApiIT > test delete monitor moves alerts FAILED
    java.lang.AssertionError: Active alert was not deleted expected:<0> but was:<1>
        at __randomizedtesting.SeedInfo.seed([EEF3185C3FC704B8:FED72CBF4761E808]:0)
        at org.junit.Assert.fail(Assert.java:89)
        at org.junit.Assert.failNotEquals(Assert.java:835)
        at org.junit.Assert.assertEquals(Assert.java:120)
        at org.opensearch.alerting.resthandler.MonitorRestApiIT.test delete monitor moves alerts(MonitorRestApiIT.kt:908)

Mentioning the ->
PR: Replace _id sort with _seq_no in JobSweeper to fix fielddata error (#2039) which changed the JobSweeper's sort field from _id to _seq_no to fix a fielddata error.
This changed how the sweeper queries and processes documents, which could subtly affect sweep timing in multi-node clusters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eirsep eirsep eirsep approved these changes

@engechas engechas engechas approved these changes

@lezzago lezzago Awaiting requested review from lezzago lezzago is a code owner

@AWSHurneyt AWSHurneyt Awaiting requested review from AWSHurneyt AWSHurneyt is a code owner

@getsaurabh02 getsaurabh02 Awaiting requested review from getsaurabh02 getsaurabh02 is a code owner

@bowenlan-amzn bowenlan-amzn Awaiting requested review from bowenlan-amzn bowenlan-amzn is a code owner

@rishabhmaurya rishabhmaurya Awaiting requested review from rishabhmaurya rishabhmaurya is a code owner

@amsiglan amsiglan Awaiting requested review from amsiglan amsiglan is a code owner

@goyamegh goyamegh Awaiting requested review from goyamegh goyamegh is a code owner

@toepkerd toepkerd Awaiting requested review from toepkerd toepkerd is a code owner

@vikhy-aws vikhy-aws Awaiting requested review from vikhy-aws vikhy-aws is a code owner

@manaswini1920 manaswini1920 Awaiting requested review from manaswini1920 manaswini1920 is a code owner

@nishtham-amazon nishtham-amazon Awaiting requested review from nishtham-amazon nishtham-amazon is a code owner

@KashKondaka KashKondaka Awaiting requested review from KashKondaka KashKondaka is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@riysaxen-amzn @eirsep @engechas