Use the AWS Integration in Actions

This product is not supported for your selected Datadog site. ().

Overview

Datadog Workflows and Actions can use your existing Datadog AWS integration credentials to perform read-only operations in your AWS environment. This eliminates the need to manually configure a separate AWS Connection, simplifying onboarding and allowing immediate access to your AWS data.

When configured, Datadog uses the same AWS credentials that power integrations such as Amazon EC2, RDS, and S3 monitoring to securely execute supported read-only actions.

There are two ways to execute AWS actions in your environment:

  • Use the Datadog AWS Integration to execute Read-only actions allowed under the ViewOnlyAccess permissions policy.
  • Or, use a custom AWS Connection linked to a dedicated AWS IAM Role with specific permissions, for operations not included in the ViewOnlyAccess permissions.

This guide walks through how to use the Datadog AWS Integration to execute Read-only actions allowed under the ViewOnlyAccess permissions policy. To execute other AWS actions, you need to create a custom Connection instead.

Supported use cases

Examples include:

  • Listing or describing AWS resources (such as ListECSClusters, DescribeInstances, and GetBucketPolicy)
  • Reading configurations or metadata from AWS services (such as GetFunctionConfiguration, and ListSecrets)
  • Inspecting resource tags, metrics, or logs

For other actions, use a dedicated Connection instead.

Requirements

To successfully execute actions with this integration:

  • The AWS Integration IAM Role configured for Role Delegation must have the permissions required for the operations desired (such as ecs:ListClusters).
  • The selected action must be read-only. Write or mutating actions (such as Put*, Delete*, and Update*) are not supported and fail when running.
  • The user, user’s team, or user’s org must have been given explicit ‘Executor’ permission on the AWS Integration in Datadog (more details below).
Executing actions using the Datadog AWS Integration is only available for users that have set up the Datadog AWS Integration through role delegation. Additionally, while operations under the ViewOnlyAccess permissions are allowed, the IAM Role associated with the Datadog AWS Integration may not have the permissions needed. Make sure that the role has the correct permissions if you encounter issues.

Configuration

Before getting started, make sure these conditions have been met:
  • The AWS integration is active for your target AWS Account and no integration issues are detected by Datadog. If you haven't set up the AWS integration yet, you can follow the AWS integration setup guide.
  • The IAM Role associated with the integration has the permissions for the correct operations (for example ecs:ListClusters).
  • You have access to edit the permissions for the AWS account(s) you want to set up.

1. Configure AWS Integration permissions

To configure the Executor permission for the Datadog AWS Integration:

  1. In Datadog, navigate to Integrations.
  2. Click the Amazon Web Services integration.
  3. In the left pane, select the AWS Account you want to run actions with.
  4. Click Set Permissions.
    • If you see a Request Edit Access button instead of a Set Permissions button, ask your Datadog organization’s admin to add you as an Editor for the AWS account.
  5. Select a user, term, or organization and click Add.
  6. Under People with access, select the Executor permission.
  7. Click Save.

2. Add the integration to an action

  1. In Workflow Automation, click the workflow you want to edit.
  2. Add an AWS action, such as List ECS Clusters.
  3. In the configuration pane, click the Connection dropdown and scroll to Existing AWS Integrations.
  4. Select the AWS Account you configured in step one.
  5. Click Save.