Este producto no es compatible con el
sitio Datadog seleccionado. (
).
Overview
The Observability Pipelines Worker helps you securely manage your secrets by integrating with the following secrets management solution:
- AWS Secrets Manager
- AWS Systems Manager
- Azure Key Vault
- HashiCorp Vault
- JSON File
- YAML File
Note: When you set up a pipeline and install the Worker, if you enter secret identifiers and then choose to use environment variables, the environment variable is the identifier entered and prepended with DD_OP. For example, if you entered PASSWORD_1 for a password identifier, the environment variable for that password is DD_OP_PASSWORD_1.
Set up an AWS instance profile
Datadog recommends using the instance profile method of retrieving secrets because AWS handles all environment variables and session profiles for you. See the official AWS Secrets Manager documentation for setup instructions.
After you install the Worker, configure the Worker’s bootstrap file to resolve secrets using AWS Secrets Manager:
backend_type: aws.secrets
backend_config:
aws_session:
aws_region: <region_name>
Before you install the Worker, add the bootstrap configuration to the datadog.bootstrap.config section of the Helm chart values.yaml file:
bootstrap:
config:
secret:
backend_type: aws.secrets
backend_config:
aws_session:
aws_region: <region_name>
The following aws_session settings are available:
| Setting | Description |
|---|
| aws_region | AWS Region |
| aws_profile | AWS Session Profile |
| aws_role_arn | AWS sts:AssumeRole ARN |
| aws_external_id | AWS sts:AssumeRole ExternalId |
| aws_access_key_id | AWS IAM User Access Key ID |
| aws_secret_access_key | AWS IAM User Access Key Secret |
In most cases, you need to specify aws_region to correspond to the region hosting the Secrets Manager secret.
When handling single strings, the backend configuration setting force_string: true coerces the secret as a string value.
Set up an AWS instance profile
Datadog recommends using the instance profile method of retrieving secrets because AWS handles all environment variables and session profiles for you. See the official AWS Systems Manager Parameter Store documentation for setup instructions.
After you install the Worker, configure the Worker’s bootstrap file to resolve secrets using AWS Systems Manager:
secret:
backend_type: aws_parameter_store
backend_config:
aws_session:
aws_region: <region_name>
Before you install the Worker, add the bootstrap configuration to the datadog.bootstrap.config section of the Helm chart values.yaml file:
bootstrap:
config:
secret:
backend_type: aws_parameter_store
backend_config:
aws_session:
aws_region: <region_name>
Set up Azure authentication
Datadog recommends using Managed Identities to authenticate with Azure. This allows you to associate cloud resources with AMI accounts and removes the need to put sensitive information in your Worker configuration file.
Create a managed identity
To access your Key Vault, create a Managed Identity and assign it to your VM. Then, configure the appropriate role assignment on the Key Vault to allow the managed identity to access the secrets.
After you install the Worker, configure the Worker’s bootstrap file to resolve secrets using Azure Key Vault:
backend_type: azure.keyvault
backend_config:
keyvaulturl: <key_vault_url>
Before you install the Worker, add the bootstrap configuration to the datadog.bootstrap.config section of the Helm chart values.yaml file:
bootstrap:
config:
secret:
backend_type: azure.keyvault
backend_config:
keyvaulturl: <key_vault_url>
Set up HashiCorp Vault
Run your HashiCorp Vault. See the official HashiCorp Vault documentation for more information.
Write a policy that gives the permission to pull secrets from your vault. Create a *.hcl file, and include the following permission if you are using Secrets Engine Version 1:
path "<your mount path>/<additional subpath>" {
capabilities = ["read"]
}
If you are using Secrets Engine Version 2, the following permissions are needed:
path "<your_mount_path>/data/<additional_subpath>" {
capabilities = ["read"]
}
/*
Datadog needs access to mount information to check the Secrets Engine version
number. If access isn't granted, version 1 is assumed.
*/
path "sys/mounts" {
capabilities = ["read"]
}
Run vault policy write <policy_name> <path_to_*.hcl_file>.
Choose the method of authenticating to your vault. If using the AWS instance profile method, run vault auth enable aws.
Set up an AWS instance profile for an AWS-connected machine
Datadog recommends that you authenticate using the instance profile method if you are running your HashiCorp Vault from an AWS-connected machine.
After you install the Worker, configure the Worker’s bootstrap file to resolve secrets with HashiCorp Vault:
secret:
backend_type: vault
backend_config:
vault_address: http://myvaultaddress.net
vault_tls_config:
# ... TLS settings if applicable
vault_session:
vault_auth_type: aws
# ... additional session settings
Before you install the Worker, add the bootstrap configuration to the datadog.bootstrap.config section of the Helm chart values.yaml file:
bootstrap:
config:
secret:
backend_type: vault
backend_config:
vault_address: http://myvaultaddress.net
vault_tls_config:
# ... TLS settings if applicable
vault_session:
vault_auth_type: aws
# ... additional session settings
File permissions required
The file backend only requires read permissions for the configured JSON files. These permissions must be granted to the local Worker user.
After you install the Worker, configure the Worker’s bootstrap file to resolve secrets with a JSON file:
secret:
backend_type: json
backend_config:
file_path: /path/to/json/file.json
Create a JSON secrets file
Create the file /path/to/json/file.json to store the identifiers and their secret values:
{
"us1_api": "<api_key>",
"secret_identifier1": "<secret1>"
}
You can’t pass in a file to configure secretFileContents, but you can add your secrets and identifier mapping to the datadog.bootstrap.secretFileContents section of the Helm chart values.yaml file:
bootstrap:
secretFileContents:
us1_api: "<api_key>"
secret_identifier1: "<secret1>"
File permissions required
The file backend only requires read permissions for the configured YAML files. These permissions must be granted to the local Worker user.
After you install the Worker, configure the Worker’s bootstrap file to resolve secrets with a YAML file:
secret:
backend_type: yaml
backend_config:
file_path: /path/to/yaml/file.yaml
Create a YAML secrets file
Create the file /path/to/yaml/file.yaml to store the identifiers and their secret values:
# /path/to/yaml/file.yaml
us1_api: "<api_key>"
secret_identifier1: "<secret1>"
You can’t pass in a file to configure secretFileContents, but you can add your secrets and identifier mapping to the datadog.bootstrap.secretFileContents section of the Helm chart values.yaml file:
bootstrap:
secretFileContents:
us1_api: "<api_key>"
secret_identifier1: "<secret1>"
Further reading
Más enlaces, artículos y documentación útiles:
