Secrets Management

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Overview

The Observability Pipelines Worker helps you securely manage your secrets by integrating with the following secrets management solution:

  • AWS Secrets Manager
  • AWS Systems Manager
  • Azure Key Vault
  • HashiCorp Vault
  • JSON File
  • YAML File

Configure the Worker to retrieve secrets

Set up an AWS instance profile

Datadog recommends using the instance profile method of retrieving secrets because AWS handles all environment variables and session profiles for you. See the official AWS Secrets Manager documentation for setup instructions.

Configure the Worker to use AWS Secrets Manager

    After you install the Worker, configure the Worker’s bootstrap file to resolve secrets using AWS Secrets Manager:

    backend_type: aws.secrets
backend_config:
  aws_session:
    aws_region: <region_name>

    Before you install the Worker, add the bootstrap configuration to the datadog.bootstrap.config section of the Helm chart values.yaml file:

    bootstrap:
  config:
    secret:
      backend_type: aws.secrets
      backend_config:
        aws_session:
          aws_region: <region_name>

    The following aws_session settings are available:

    SettingDescription
    aws_regionAWS Region
    aws_profileAWS Session Profile
    aws_role_arnAWS sts:AssumeRole ARN
    aws_external_idAWS sts:AssumeRole ExternalId
    aws_access_key_idAWS IAM User Access Key ID
    aws_secret_access_keyAWS IAM User Access Key Secret

    In most cases, you need to specify aws_region to correspond to the region hosting the Secrets Manager secret.

    When handling single strings, the backend configuration setting force_string: true coerces the secret as a string value.

    Set up an AWS instance profile

    Datadog recommends using the instance profile method of retrieving secrets because AWS handles all environment variables and session profiles for you. See the official AWS Systems Manager Parameter Store documentation for setup instructions.

    Configure the Worker to use AWS Systems Manager

      After you install the Worker, configure the Worker’s bootstrap file to resolve secrets using AWS Systems Manager:

      secret:
  backend_type: aws_parameter_store
  backend_config:
    aws_session:
      aws_region: <region_name>

      Before you install the Worker, add the bootstrap configuration to the datadog.bootstrap.config section of the Helm chart values.yaml file:

      bootstrap:
  config:
    secret:
      backend_type: aws_parameter_store
      backend_config:
        aws_session:
          aws_region: <region_name>

      Set up Azure authentication

      Datadog recommends using Managed Identities to authenticate with Azure. This allows you to associate cloud resources with AMI accounts and removes the need to put sensitive information in your Worker configuration file.

      Create a managed identity

      To access your Key Vault, create a Managed Identity and assign it to your VM. Then, configure the appropriate role assignment on the Key Vault to allow the managed identity to access the secrets.

      Configure the Worker to use Azure Key Vault

        After you install the Worker, configure the Worker’s bootstrap file to resolve secrets using Azure Key Vault:

        backend_type: azure.keyvault
backend_config:
  keyvaulturl: <key_vault_url>

        Before you install the Worker, add the bootstrap configuration to the datadog.bootstrap.config section of the Helm chart values.yaml file:

        bootstrap:
  config:
    secret:
      backend_type: azure.keyvault
      backend_config:
        keyvaulturl: <key_vault_url>

        Set up HashiCorp Vault

        1. Run your HashiCorp Vault. See the official HashiCorp Vault documentation for more information.

        2. Write a policy that gives the permission to pull secrets from your vault. Create a *.hcl file, and include the following permission if you are using Secrets Engine Version 1:

          path "<your mount path>/<additional subpath>" {
  capabilities = ["read"]
}

          If you are using Secrets Engine Version 2, the following permissions are needed:

          path "<your_mount_path>/data/<additional_subpath>" {
  capabilities = ["read"]
}

/*
Datadog needs access to mount information to check the Secrets Engine version
number. If access isn't granted, version 1 is assumed.
*/
path "sys/mounts" {
  capabilities = ["read"]
}

        3. Run vault policy write <policy_name> <path_to_*.hcl_file>.

        4. Choose the method of authenticating to your vault. If using the AWS instance profile method, run vault auth enable aws.

        Set up an AWS instance profile for an AWS-connected machine

        Datadog recommends that you authenticate using the instance profile method if you are running your HashiCorp Vault from an AWS-connected machine.

        Configure the Worker to use HashiCorp Vault

          After you install the Worker, configure the Worker’s bootstrap file to resolve secrets with HashiCorp Vault:

          secret:
  backend_type: vault
  backend_config:
    vault_address: http://myvaultaddress.net
    vault_tls_config:
      # ... TLS settings if applicable
    vault_session:
      vault_auth_type: aws
      # ... additional session settings

          Before you install the Worker, add the bootstrap configuration to the datadog.bootstrap.config section of the Helm chart values.yaml file:

          bootstrap:
  config:
    secret:
      backend_type: vault
      backend_config:
        vault_address: http://myvaultaddress.net
        vault_tls_config:
          # ... TLS settings if applicable
        vault_session:
          vault_auth_type: aws
          # ... additional session settings

          File permissions required

          The file backend only requires read permissions for the configured JSON files. These permissions must be granted to the local Worker user.

          Configure the Worker to use a JSON file secret backend

            After you install the Worker, configure the Worker’s bootstrap file to resolve secrets with a JSON file:

            secret:
  backend_type: json
  backend_config:
    file_path: /path/to/json/file.json

            Create a JSON secrets file

            Create the file /path/to/json/file.json to store the identifiers and their secret values:

            {
  "us1_api": "<api_key>",
  "secret_identifier1": "<secret1>"
}

            You can’t pass in a file to configure secretFileContents, but you can add your secrets and identifier mapping to the datadog.bootstrap.secretFileContents section of the Helm chart values.yaml file:

            bootstrap:
  secretFileContents:
    us1_api: "<api_key>"
    secret_identifier1: "<secret1>"

            File permissions required

            The file backend only requires read permissions for the configured YAML files. These permissions must be granted to the local Worker user.

            Configure the Worker to use a YAML file secret backend

              After you install the Worker, configure the Worker’s bootstrap file to resolve secrets with a YAML file:

              secret:
  backend_type: yaml
  backend_config:
    file_path: /path/to/yaml/file.yaml

              Create a YAML secrets file

              Create the file /path/to/yaml/file.yaml to store the identifiers and their secret values:

              # /path/to/yaml/file.yaml

us1_api: "<api_key>"
secret_identifier1: "<secret1>"

              You can’t pass in a file to configure secretFileContents, but you can add your secrets and identifier mapping to the datadog.bootstrap.secretFileContents section of the Helm chart values.yaml file:

              bootstrap:
  secretFileContents:
    us1_api: "<api_key>"
    secret_identifier1: "<secret1>"

              Further reading

              Más enlaces, artículos y documentación útiles:

              Set up pipelinesDOCUMENTATION more more Install the WorkerDOCUMENTATION more more