Remove unused value_key, fix default refresh_interval in docs, reorder credential lookup

Author: mbokan

extension/basicauthextension/README.md

@@ -50,10 +50,9 @@ The extension supports fetching credentials from AWS Secrets Manager with automa
 
 - `secret_arn` (required): The ARN of the secret in AWS Secrets Manager.
 - `region` (required): The AWS region where the secret is stored.
-- `refresh_interval` (optional, default: `5m`): How often to re-fetch the secret.
+- `refresh_interval` (optional, default: `30m`): How often to re-fetch the secret.
 - `username_key` (required for client_auth): The JSON key containing the username.
 - `password_key` (required for client_auth): The JSON key containing the password.
-- `value_key` (optional for htpasswd): If set, treats the secret as JSON and extracts this key. Otherwise, the raw secret string is used as htpasswd content.
 
 The extension uses the AWS SDK's default credential chain (`aws-sdk-go-v2/config.LoadDefaultConfig`). This means the collector workload must have an IAM identity that grants `secretsmanager:GetSecretValue` on the target secret. If the secret is encrypted with a customer managed KMS key (CMK), the identity also needs `kms:Decrypt` on that key's ARN. In practice, attach an instance profile role (EC2), a pod identity or IRSA role (EKS), or a task role (ECS) to the workload running the collector.
 ## Configuration
@@ -93,7 +92,6 @@ extensions:
       aws_secret:
         secret_arn: "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-htpasswd"
         region: "us-east-1"
-        value_key: "htpasswd_content"
         refresh_interval: 5m
 
 receivers:

extension/basicauthextension/config.go

@@ -32,11 +32,10 @@ type AWSSecretClientConfig struct {
 }
 
 // AWSSecretHtpasswdConfig configures AWS Secrets Manager as a credential source for server auth.
-// The secret can be raw htpasswd content, or a JSON object with a field containing htpasswd content.
+// The secret value is used directly as htpasswd content.
 type AWSSecretHtpasswdConfig struct {
 	SecretARN       string        `mapstructure:"secret_arn"`
 	Region          string        `mapstructure:"region"`
-	ValueKey        string        `mapstructure:"value_key"`
 	RefreshInterval time.Duration `mapstructure:"refresh_interval"`
 }
 

extension/basicauthextension/config_test.go

@@ -71,7 +71,6 @@ func TestLoadConfig(t *testing.T) {
 					AWSSecret: &AWSSecretHtpasswdConfig{
 						SecretARN:       "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-htpasswd",
 						Region:          "us-east-1",
-						ValueKey:        "htpasswd_content",
 						RefreshInterval: 10 * time.Minute,
 					},
 				},

extension/basicauthextension/extension.go

@@ -207,28 +207,28 @@ func (ba *basicAuthClient) Shutdown(_ context.Context) error {
 }
 
 func (ba *basicAuthClient) Username() string {
-	if c := ba.creds.Load(); c != nil {
-		return c.username
-	}
 	if ba.usernameResolver != nil {
 		return ba.usernameResolver.Value()
 	}
-	if ba.clientAuth != nil {
+	if ba.clientAuth != nil && ba.clientAuth.Username != "" {
 		return ba.clientAuth.Username
 	}
+	if c := ba.creds.Load(); c != nil {
+		return c.username
+	}
 	return ""
 }
 
 func (ba *basicAuthClient) Password() string {
-	if c := ba.creds.Load(); c != nil {
-		return c.password
-	}
 	if ba.passwordResolver != nil {
 		return ba.passwordResolver.Value()
 	}
-	if ba.clientAuth != nil {
+	if ba.clientAuth != nil && string(ba.clientAuth.Password) != "" {
 		return string(ba.clientAuth.Password)
 	}
+	if c := ba.creds.Load(); c != nil {
+		return c.password
+	}
 	return ""
 }
 

extension/basicauthextension/testdata/config.yaml

@@ -32,5 +32,4 @@ basicauth/server_aws:
     aws_secret:
       secret_arn: "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-htpasswd"
       region: "us-east-1"
-      value_key: "htpasswd_content"
       refresh_interval: 10m