You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/agent/configuration/secrets-management.md
+21-23Lines changed: 21 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ algolia:
13
13
14
14
## Overview
15
15
16
-
The Datadog Agent allows you to securely manage secrets by integrating with any external secrets management solution (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, a custom solution...). Instead of hardcoding sensitive values like API keys or passwords in plaintext within configuration files, the Agent can retrieve them dynamically at runtime.
16
+
The Datadog Agent allows you to securely manage secrets by integrating with any external secrets management solution (such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or a custom solution). Instead of hardcoding sensitive values like API keys or passwords in plaintext within configuration files, the Agent can retrieve them dynamically at runtime.
17
17
18
18
### How it works
19
19
@@ -27,22 +27,22 @@ instances:
27
27
password: "ENC[db_prod_password]"
28
28
```
29
29
30
-
The secret handle must make up the full value of the YAML field and is always resolved as strings. This means configurations like `password: "db-ENC[prod_password]"` are not be recognized as secrets.
30
+
The secret handle must make up the full value of the YAML field and is always resolved as strings. This means configurations like `password: "db-ENC[prod_password]"` are not recognized as secrets.
31
31
32
32
You can use any characters inside the `ENC[]` brackets as long as the YAML is valid. If your secret ID includes special characters or is a JSON string, make sure to properly escape it. For example:
It's also possible to use [Autodiscovery](/agent/kubernetes/integrations/) variables in secret handles. The Agent resolves these variables before resolving the secret. For example:
37
+
It's also possible to use [Autodiscovery][1] variables in secret handles. The Agent resolves these variables before resolving the secret. For example:
38
38
```
39
39
instances:
40
40
- server: %%host%%
41
41
user: ENC[db_prod_user_%%host%%]
42
42
password: ENC[db_prod_password_%%host%%]
43
43
```
44
44
45
-
However, note that you cannot use the `ENC[]` syntax in `secret_*` settings like `secret_backend_command`.
45
+
**Note**: You cannot use the `ENC[]` syntax in `secret_*` settings like `secret_backend_command`.
46
46
47
47
### Agent security requirements
48
48
@@ -64,7 +64,7 @@ On Windows, the executable must:
64
64
65
65
* Have read/exec for `ddagentuser` (the user used to run the Agent).
66
66
* Have no rights for any user or group except for the `Administrators` group, the built-in `Local System` account, or the Agent user context (`ddagentuser` by default)
67
-
* Be a valid Win32 application so the Agent can execute it (a PowerShell or Python script would not work for example).
67
+
* Be a valid Win32 application so the Agent can execute it (for example, a PowerShell or Python script doesn't work).
68
68
69
69
{{% /tab %}}
70
70
{{< /tabs >}}
@@ -98,11 +98,9 @@ The executable should respond through STDOUT:
98
98
}
99
99
```
100
100
101
-
102
101
*`value` (string): the secret value to be used in the configurations. This can be `null` in the case of an error.
103
102
*`error` (string): an error message or `null`.
104
103
105
-
106
104
If a secret fails to resolve (either by returning a non-zero exit code or a non-null error), the related configuration is ignored by the Agent.
107
105
108
106
**Never output sensitive information on `stderr`**. If the binary exits with a different status code than `0`, the Agent logs the standard error output of the executable to ease troubleshooting.
Kubernetes supports [exposing Secrets as files](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume) inside a pod that the Agent can read to resolve secrets.
141
+
Kubernetes supports [exposing Secrets as files][2] inside a pod that the Agent can read to resolve secrets.
144
142
145
143
In Kubernetes, you can mount a Secret as a volume like this:
- The Secret must exist in the same namespace as the pod it is being mounted in.
167
165
- The script is able to access all subfolders, including the sensitive `/var/run/secrets/kubernetes.io/serviceaccount/token`. As such, Datadog recommends using a dedicated folder instead of `/var/run/secrets`.
168
166
169
-
[Docker swarm secrets](https://docs.docker.com/engine/swarm/secrets/) are mounted in the `/run/secrets` folder. For example, the Docker secret `db_prod_passsword` is located in `/run/secrets/db_prod_password` in the Agent container. This would be referenced in the configuration with `ENC[file@/run/secrets/db_prod_password]`.
167
+
[Docker swarm secrets][3] are mounted in the `/run/secrets` folder. For example, the Docker secret `db_prod_passsword` is located in `/run/secrets/db_prod_password` in the Agent container. This would be referenced in the configuration with `ENC[file@/run/secrets/db_prod_password]`.
170
168
171
-
**Example: Reading a Kubernetes Secret Across Namespaces**
169
+
#### Example: Reading a Kubernetes secret across namespaces
172
170
173
171
If you want the Agent to read a Secret from a different namespace, use the `k8s_secret@` prefix. For example:
174
172
```
@@ -208,7 +206,7 @@ This `Role` gives access to the `Secret: database-secret` in the `Namespace: dat
208
206
209
207
### Option 2: Using a prebuilt executable
210
208
211
-
If you're using a standard secrets provider like `AWS Secrets Manager`, `AWS SSM` or other, you can use the prebuilt [datadog-secret-backend](https://github.com/DataDog/datadog-secret-backend) executable.
209
+
If you're using a standard secrets provider like `AWS Secrets Manager`, `AWS SSM` or other, you can use the prebuilt [datadog-secret-backend][4] executable.
212
210
213
211
Here's an example showing how to set it up:
214
212
@@ -233,15 +231,13 @@ Here's an example showing how to set it up:
233
231
]
234
232
}
235
233
```
236
-
3. Download the binary to your EC2 instance and configure it at /datadog-secret-backend.yaml:
237
234
238
-
3. Download the latest release of `datadog-secret-backend` on your EC2 instance and create its configuration `datadog-secret-backend.yaml` next to the binary (more information [at this link](https://github.com/DataDog/datadog-secret-backend/blob/main/docs/aws/secrets.md)):
235
+
3. Download the latest release of [datadog-secret-backend][5] on your EC2 instance and create its configuration `datadog-secret-backend.yaml` next to the binary. The following example shows a configuration for a backend of type `aws.secrets` under the name `staging-aws`:
239
236
```
240
237
backends:
241
238
staging-aws:
242
239
backend_type: aws.secrets
243
240
```
244
-
We are configuring one backend of type `aws.secrets` under the name `staging-aws`
245
241
4. Set the correct access rights for the binary as described in [Agent security requirements](#agent-security-requirements):
246
242
```
247
243
$> chown dd-agent:dd-agent datadog-secret-backend
@@ -322,7 +318,6 @@ instances:
322
318
password: decrypted_db_prod_password
323
319
```
324
320
325
-
326
321
## Refreshing API/APP keys at runtime
327
322
328
323
Starting in Agent version v7.67, you can configure the Agent to refresh its API and APP keys at regular intervals without requiring a restart. This relies on the API key and APP key being pulled as secrets.
@@ -416,7 +411,6 @@ Secrets handle decrypted:
416
411
{{% /tab %}}
417
412
{{< /tabs >}}
418
413
419
-
420
414
### Seeing configurations after secrets were injected
421
415
422
416
To quickly see how the check's configurations are resolved, you can use the `configcheck` command:
The `dd-agent` user is created when you install the Datadog Agent.
461
455
462
-
463
456
{{% /tab %}}
464
457
{{% tab "Windows" %}}
465
-
**Windows**
466
458
467
-
##### Rightsrelated errors
459
+
##### Rights-related errors
468
460
469
-
If you encounter one of the following errors, then something is missing in your setup. See the [Windows instructions](#windows).
461
+
The following errors indicate that something is missing in your setup.
470
462
471
463
1. If any other group or user than needed has rights on the executable, a similar error to the following is logged:
472
464
```
@@ -556,7 +548,6 @@ exit code:
556
548
{{% /tab %}}
557
549
{{< /tabs >}}
558
550
559
-
560
551
### Agent refusing to start
561
552
562
553
The first thing the Agent does on startup is to load `datadog.yaml` and decrypt any secrets in it. This is done before setting up the logging. This means that on platforms like Windows, errors occurring when loading `datadog.yaml` aren't written in the logs, but on `stderr`. This can occur when the executable given to the Agent for secrets returns an error.
@@ -573,7 +564,7 @@ When reading Secrets directly from Kubernetes you can double check your permissi
573
564
kubectl auth can-i get secret/<SECRET_NAME> -n <SECRET_NAMESPACE> --as system:serviceaccount:<AGENT_NAMESPACE>:<AGENT_SERVICE_ACCOUNT>
574
565
```
575
566
576
-
Consider the previous [Kubernetes Secrets example](#read-from-kubernetes-secret-example), where the Secret `Secret:database-secret` exists in the `Namespace: database`, and the Service Account `ServiceAccount:datadog-agent` exists in the `Namespace: default`.
567
+
Consider the previous [Kubernetes Secrets example](#example-reading-a-kubernetes-secret-across-namespaces), where the Secret `Secret:database-secret` exists in the `Namespace: database`, and the Service Account `ServiceAccount:datadog-agent` exists in the `Namespace: default`.
577
568
578
569
In this case, use the following command:
579
570
@@ -586,3 +577,10 @@ This command returns whether the permissions are valid for the Agent to view thi
0 commit comments