Remote Configuration for Fleet Automation

This page covers configuring and using Remote Configuration enables users to remotely configure and change the behavior of Datadog components deployed in their environment.Glossary with Fleet Automation. The following Fleet Automation features require Remote Configuration:

FeatureDescriptionMinimum Agent Version
Agent flaresSend a flare from the Datadog site using Fleet Automation7.47+
7.66+ recommended
Agent upgradesRemotely upgrade your Agents7.66+
Agent configuration
(PREVIEW indicates an early access version of a major product or feature that you can opt into before its official release.Glossary)		Remotely configure your Agents7.66+

Datadog recommends upgrading your Agents regularly to make sure you have access to the latest features.

Prerequisites

  • Datadog recommends Datadog Agent version 7.66 or later. Although some features might work with earlier versions of the Agent, version 7.66 introduced breaking changes to Remote Agent Management.
  • Ensure your RBAC permissions include org_management, so you can enable Remote Configuration for your organization.
  • Ensure your RBAC permissions include api_keys_write, so you can create a new API key with the Remote Configuration capability, or add the capability to an existing API key. Contact your organization’s Datadog administrator to update your permissions if you don’t have it. A key with this capability allows you to authenticate and authorize your Agent to use Remote Configuration.

Enable Remote Configuration

In most cases, Remote Configuration is enabled by default for your organization. You can check if Remote Configuration is enabled on your organization from the Remote Configuration settings page. If you need to enable it:

  1. Ensure your RBAC permissions include org_management, so you can enable Remote Configuration for your organization.
  2. From your Organization Settings page, enable Remote Configuration. This enables Datadog components across your organization to receive configurations from Datadog.

Agent Remote Configuration status

You can gain visibility into the Remote Configuration status of your Agent using the Remote Configuration UI.

The following table describes the meaning of each Agent status:

Agent StatusDescription
CONNECTEDThe Agent deployed in your environment is able to reach, authenticate, and authorize successfully to Datadog. This is the optimal state you want your Agents to be in for Remote Configuration.
UNAUTHORIZEDThe Agent deployed in your environment is able to reach Datadog but is not able to authenticate and authorize with Datadog for Remote Configuration operation. The most likely cause is the API Key used by the Agent is not Remote Configuration-enabled. To fix the issue, enable Remote Configuration capability on the API Key used by the Agent.
CONNECTION ERRORThe Agent deployed in your environment has remote_config.enabled set to true in its datadog.yaml configuration file, however, the Agent cannot be found in the Remote Configuration service. The most likely cause is that the Agent is unable to reach Remote Configuration endpoints. To fix the issue, allow outbound HTTPS access to Remote Configuration endpoints from your environment. This status displays when the Agent version is 7.45.0 or higher.
DISABLEDThe Agent deployed in your environment has remote_config.enabled set to false in its datadog.yaml configuration file. Set remote_config.enabled to true if you want to enable Remote Configuration on the Agent. This status displays when the Agent version is 7.45.0 or higher.
NOT CONNECTEDThe Agent cannot be found in the Remote Configuration service and could have remote_config.enabled set to true or false in its datadog.yaml configuration file. Check your local Agent configuration or your proxy settings. This status displays when the Agent version is higher than 7.41.1 but lower than 7.45.0.
UNSUPPORTED AGENTThe Agent is on a version that is not Remote Configuration capable. To fix this issue, update the Agent to the latest available version.

Opting out of Remote Configuration for Fleet Automation

You can disable Remote Configuration capabilities:

  • at the API key level
  • at the Agent level
  • at the organization level (not recommended)

At the API key level

Disable the API key of your choice on the API Keys page. You need the api_keys_write permission to disable Remote Configuration on an API key.

At the Agent level

Starting with Agent version 7.47.0, remote_configuration.enabled is set to true by default in the Agent. This setting causes the Agent to request configuration updates from the Datadog site.

If you don’t want your Agent to send configuration requests to Datadog, you can set remote_configuration.enabled to false in the Agent.

    Change remote_configuration.enabled from true to false in your configuration YAML file:

    remote_configuration:
  enabled: false

    Add the following to your Datadog Agent manifest:

    DD_REMOTE_CONFIGURATION_ENABLED=false

    Add the following to your Helm chart:

    datadog:
  remoteConfiguration:
    enabled: false

    At the organization level

    Datadog does not recommend disabling Remote Configuration at the organization level. Disabling Remote Configuration at the organization level prevents Datadog components in several products across your organization from receiving configurations from Datadog.

    To disable Remote Configuration at the organization level:

    1. Ensure you have the required org_management permission.
    2. Go to the Remote Configuration settings page.
    3. Click Disable.
    4. When the warning message appears, click Disable again.

    Troubleshooting

    If you experience issues using Remote Configuration with your Agents, use the following troubleshooting guidelines. If you need further assistance, contact Datadog support.

    Restart the Agent

    After the Agent configuration is updated in the [datadog.yaml][16] file, restart the Agent for the change to take effect.

    Ensure Datadog Remote Configuration endpoints are reachable from your environment

    To use Remote Configuration, the Agent deployed in your environment needs access to the Datadog Remote Configuration endpoints. For a private network connection between your environment and Datadog, you can also connect to Remote Configuration Virtual Private Cloud endpoints. Ensure that outbound HTTPS has access to Remote Configuration endpoints from your environment. If you also have a proxy in between Datadog and your environment, update your proxy settings to incorporate Remote Configuration endpoints.

    Enable Remote Configuration on the API key

    To authenticate and authorize the Agent to receive configuration, enable Remote Configuration on the relevant API Key. Only users who have the api_keys_write RBAC permission can enable Remote Configuration on the API Key.

    Note: If you have api_keys_write RBAC permission, but are missing Remote Configuration Organization level permissions, you cannot enable Remote Configuration on a new or an existing API Key. You only have permission to disable Remote Configuration on an existing API Key.

    Further reading

    Additional helpful documentation, links, and articles:

    Find out more about Remote ConfigurationDOCUMENTATION more more Fleet AutomationDOCUMENTATION more more Learn about the Agent configuration viewDOCUMENTATION more more Centrally govern and remotely manage Datadog Agents at scale with Fleet AutomationBLOG more more