fix: gracefully handle an error retrieving auth info from AWS Secrets Manager (#401)

* fix: gracefully handle an error retrieving auth info from AWS Secrets Manager

If there is an error retrieving an APM auth secret from AWS Secrets
Manager (attempted when ELASTIC_APM_SECRETS_MANAGER_API_KEY_ID or ELASTIC_APM_SECRETS_MANAGER_SECRET_TOKEN_ID
are provided), then the extension will now *log a warning* rather
than erroring out.

This allows the Lambda function to still work. Only the reporting of
APM server data will fail (with a 403). This was already the behavior
for an invalid ELASTIC_APM_SECRET_TOKEN.

Author: trentm

CHANGELOG.asciidoc

@@ -22,6 +22,10 @@
 
 https://github.com/elastic/apm-aws-lambda/compare/v1.4.0...main[View commits]
 
+[float]
+===== Bug fixes
+- Log a warning, instead of failing a Lambda function, if auth retrieval from AWS Secrets Manager fails. Reporting APM data will not work, but the Lambda function invocations will proceed. {lambda-pull}401[401]
+
 [float]
 [[lambda-1.4.0]]
 === 1.4.0 - 2023/05/03

app/aws.go

@@ -36,22 +36,24 @@ func loadAWSOptions(ctx context.Context, cfg aws.Config, logger *zap.SugaredLogg
 	if apmServerApiKeySMSecretId, ok := os.LookupEnv("ELASTIC_APM_SECRETS_MANAGER_API_KEY_ID"); ok {
 		result, err := loadSecret(ctx, manager, apmServerApiKeySMSecretId)
 		if err != nil {
-			return "", "", fmt.Errorf("failed loading APM Server ApiKey from Secrets Manager: %w", err)
+			logger.Warnf("Could not load APM API key from AWS Secrets Manager. Reporting APM data will likely fail. Is 'ELASTIC_APM_SECRETS_MANAGER_API_KEY_ID=%s' correct? See https://www.elastic.co/guide/en/apm/lambda/current/aws-lambda-secrets-manager.html. Error message: %v", apmServerApiKeySMSecretId, err)
+			apmServerApiKey = ""
+		} else {
+			logger.Infof("Using the APM API key retrieved from AWS Secrets Manager.")
+			apmServerApiKey = result
 		}
-
-		logger.Infof("Using the APM API key retrieved from Secrets Manager.")
-		apmServerApiKey = result
 	}
 
 	apmServerSecretToken := os.Getenv("ELASTIC_APM_SECRET_TOKEN")
 	if apmServerSecretTokenSMSecretId, ok := os.LookupEnv("ELASTIC_APM_SECRETS_MANAGER_SECRET_TOKEN_ID"); ok {
 		result, err := loadSecret(ctx, manager, apmServerSecretTokenSMSecretId)
 		if err != nil {
-			return "", "", fmt.Errorf("failed loading APM Server Secret Token from Secrets Manager: %w", err)
+			logger.Warnf("Could not load APM secret token from AWS Secrets Manager. Reporting APM data will likely fail. Is 'ELASTIC_APM_SECRETS_MANAGER_SECRET_TOKEN_ID=%s' correct? See https://www.elastic.co/guide/en/apm/lambda/current/aws-lambda-secrets-manager.html. Error message: %v", apmServerSecretTokenSMSecretId, err)
+			apmServerSecretToken = ""
+		} else {
+			logger.Infof("Using the APM secret token retrieved from AWS Secrets Manager.")
+			apmServerSecretToken = result
 		}
-
-		logger.Infof("Using the APM secret token retrieved from Secrets Manager.")
-		apmServerSecretToken = result
 	}
 
 	return apmServerApiKey, apmServerSecretToken, nil