diff --git a/content/en/actions/connections/aws_integration.md b/content/en/actions/connections/aws_integration.md new file mode 100644 index 0000000000000..81a77c1e6e708 --- /dev/null +++ b/content/en/actions/connections/aws_integration.md @@ -0,0 +1,74 @@ +--- +title: Using AWS Integration in Actions +description: Use Datadog's built-in AWS Integration to run Workflows read Actions without additional configuration in AWS. +disable_toc: false +further_reading: +- link: "/actions/connections/" + tag: "Documentation" + text: "Find out more about connection credentials" +--- + +## Overview + +Datadog Workflows and Actions can use your existing **Datadog AWS integration credentials** to perform read-only operations in your AWS environment. +This eliminates the need to manually configure a separate AWS Connection, simplifying onboarding and allowing immediate access to your AWS data. + +When configured, Datadog uses the same AWS credentials that power integrations such as **Amazon EC2**, **RDS**, and **S3 monitoring** to securely execute supported read-only actions. + +
+This feature is limited to read-only AWS actions and AWS integrations configured with "Role Delegation" access type. It also requires that your Datadog AWS integration role has the appropriate permissions defined in AWS. All actions under the ViewOnlyAccess permissions should work, as long as the IAM role used by the AWS Integration has been granted the permissions needed, and that an Action exists for the operation. +
+ +## Supported use cases + +Examples include: + +- Listing or describing AWS resources (for example: `ListECSClusters`, `DescribeInstances`, `GetBucketPolicy`) +- Reading configurations or metadata from AWS services (for example: `GetFunctionConfiguration`, `ListSecrets`) +- Inspecting resource tags, metrics, or logs + +### Requirements + +To successfully execute actions with this integration: + +- The **AWS Integration IAM Role** configured for Role Delegation must have the permissions required for the operations desired (for example `ecs:ListClusters`). +- The selected action must be read-only. Write or mutating actions (such as `Put*`, `Delete*`, `Update*`) are not supported and fail when running. +- The user, user's team, or user's org **must** have been given explicit 'Executor' permission on the AWS Integration in Datadog (see next section for details). + +--- + +## Configuration + +### 1. Configure AWS Integration permissions + +Make sure that: +- The AWS integration is **active** for your target **AWS Account** and no integration issues are detected by Datadog. +- The **IAM Role** associated with the integration has the permissions for the operations (for example `ecs:ListClusters`). +- The integration is configured with the **Executor** permission in the Datadog AWS Integration configuration page (see below). + +To configure the **Executor** permission in Datadog AWS Integration: +- In Datadog, navigate to "Integrations" then open the "Amazon Web Services" configuration page. +- Select the AWS Account connected to Datadog that you want to run actions with. If you haven't already configured the AWS Integration, follow the [AWS Integration setup guide](https://docs.datadoghq.com/integrations/amazon_web_services/#setup). +- Click on "**Set Permissions**": + +{{< img src="service_management/aws_integration_tile_set_permission.png" alt="An integration on the AWS Integration configuration where the Set permission button is usable" style="width:100%;" >}} + +In the Permissions modal opened select a user, team or organization to be granted "**Executor**" permissions: + +{{< img src="service_management/aws_integration_tile_permission_modal.png" alt="A permission modal with Executor permission highlighted" style="width:100%;" >}} + +
+If instead of a **Set Permissions** button, you have a **Request Edit Access** button, you need to request the AWS Configuration Edit permission from an Admin in your organization. +
+ +### 2. Select the Integration in Action + +When creating or editing an Action within **Workflows**, you can choose your existing AWS integration in the Connections field. + +1. Open your Workflow in the Datadog UI. +2. Add an AWS Action (for example, **List ECS Clusters**). +3. In the **Connection** dropdown, select **Existing AWS Integration**. +4. Choose the AWS Account configured in your Datadog integration. + +{{< img src="service_management/aws_integration_connection_dropdown.png" alt="A Workflow Step configuration with a AWS Account: 0123456789101 Connection option" style="width:100%;" >}} + diff --git a/static/images/service_management/aws_integration_connection_dropdown.png b/static/images/service_management/aws_integration_connection_dropdown.png new file mode 100644 index 0000000000000..6e5d4c2c6bd60 Binary files /dev/null and b/static/images/service_management/aws_integration_connection_dropdown.png differ diff --git a/static/images/service_management/aws_integration_tile_permission_modal.png b/static/images/service_management/aws_integration_tile_permission_modal.png new file mode 100644 index 0000000000000..3cc4cc7e592ca Binary files /dev/null and b/static/images/service_management/aws_integration_tile_permission_modal.png differ diff --git a/static/images/service_management/aws_integration_tile_set_permission.png b/static/images/service_management/aws_integration_tile_set_permission.png new file mode 100644 index 0000000000000..24ed5d7917dcc Binary files /dev/null and b/static/images/service_management/aws_integration_tile_set_permission.png differ