- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This guide assumes that you have configured Database Monitoring.
Datadog Database Monitoring (DBM) allows you to view explain plans and query samples running on your database hosts. This guide shows you how to use cloud managed authentication features, such as IAM, to connect the Agent to your database. This provides a more secure way to authenticate and saves you from having to manage database credentials across your agent hosts.
Supported authentication types and Agent versions :
Authentication Type | Agent Version | Postgres | SQL Server |
---|---|---|---|
IAM | |||
7.46 | |||
Microsoft Entra ID Managed Identity | |||
7.48 |
AWS supports IAM authentication to RDS and Aurora databases. Starting with Datadog Agent version 7.57, cross-account IAM authentication is supported for RDS and Aurora databases. In order to configure the Agent to connect using IAM, follow the steps to complete the setup for the database and the Datadog Agent.
<YOUR_IAM_AUTH_DB_USER>
with the local database user in the IAM policy document:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:REGION:ACCOUNT:dbuser:db-<RESOURCE_ID>/<YOUR_IAM_AUTH_DB_USER>"
]
}
]
}
For example, if you want to use the datadog
user, use the following resource ARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:REGION:ACCOUNT:dbuser:db-<RESOURCE_ID>/datadog"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:REGION:ACCOUNT:dbuser:cluster-<RESOURCE_ID>/<YOUR_IAM_AUTH_DB_USER>"
]
}
]
}
For example, if you wanted to use the datadog
user, you would use the following resource ARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:REGION:ACCOUNT:dbuser:cluster-<RESOURCE_ID>/datadog"
]
}
]
}
AWS also supports wildcards for specifying the resource, for example if you wanted to allow the datadog
user to authenticate across all instances for an account add the following:
"Resource": [
"arn:aws:rds-db:*:ACCOUNT:dbuser:cluster-*/datadog",
"arn:aws:rds-db:*:ACCOUNT:dbuser:db-*/datadog"
],
rds_iam
role to the new user:CREATE USER <YOUR_IAM_ROLE> WITH LOGIN;
GRANT rds_iam TO <YOUR_IAM_ROLE>;
For example, for the datadog
user you would run:
CREATE USER datadog WITH LOGIN;
GRANT rds_iam TO datadog;
Note: this has to be a new user created without a password, or IAM authentication will fail.
# Create an IAM role for EC2 instance
# Replace `<YOUR_IAM_AUTH_DB_ROLE>` with the name of the IAM role
aws iam create-role --role-name <YOUR_IAM_AUTH_DB_ROLE> --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
# Attach the IAM policy to the IAM role
# Replace `<YOUR_IAM_AUTH_DB_POLICY_ARN>` with the ARN of the IAM policy from step 2
aws iam attach-role-policy --role-name <YOUR_IAM_AUTH_DB_ROLE> --policy-arn <YOUR_IAM_AUTH_DB_POLICY_ARN>
Attach the IAM role to the EC2 instance where the Agent is running. For more information, see IAM roles for Amazon EC2.
# Create an IAM role for ECS task
# Replace `<YOUR_IAM_AUTH_DB_ROLE>` with the name of the IAM role
aws iam create-role --role-name <YOUR_IAM_AUTH_DB_ROLE> --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
# Attach the IAM policy to the IAM role
# Replace `<YOUR_IAM_AUTH_DB_POLICY_ARN>` with the ARN of the IAM policy from step 2
aws iam attach-role-policy --role-name <YOUR_IAM_AUTH_DB_ROLE> --policy-arn <YOUR_IAM_AUTH_DB_POLICY_ARN>
In the ECS task definition, attach the IAM role to the task role where the Agent container is defined. For more information, see IAM roles for Amazon ECS.
# Create an IAM OIDC provider for your cluster
# Replace `<YOUR_ESK_REGION>` and `<YOUR_ESK_CLUSTER>` with the region and name of your ESK cluster
$ eksctl utils associate-iam-oidc-provider \
--region=<YOUR_ESK_REGION> \
--cluster=<YOUR_ESK_CLUSTER> \
--approve
# Create a service account
# Replace `<YOUR_IAM_AUTH_DB_POLICY_ARN>` with the ARN of the IAM policy from step 2
# Replace `<YOUR_IAM_AUTH_SERVICE_ACCOUNT>` and `<YOUR_IAM_AUTH_SERVICE_ACCOUNT_NAMESPACE>` with the name and namespace of the service account
$ eksctl create iamserviceaccount \
--cluster <YOUR_ESK_CLUSTER> \
--name <YOUR_IAM_AUTH_SERVICE_ACCOUNT> \
--namespace <YOUR_IAM_AUTH_SERVICE_ACCOUNT_NAMESPACE> \
--attach-policy-arn <YOUR_IAM_AUTH_DB_POLICY_ARN> \
--override-existing-serviceaccounts \
--approve
Map the IAM role to the Kubernetes service account where the Agent is running. For more information, see IAM roles for Amazon EKS service account.
aws
block specifying the region
of the RDS instance, and set managed_authentication.enabled
to true
:instances:
- host: example-endpoint.us-east-2.rds.amazonaws.com
port: 5432
username: datadog
dbm: true
aws:
instance_endpoint: example-endpoint.us-east-2.rds.amazonaws.com
region: us-east-2
managed_authentication:
enabled: true
NOTE: Cross-account IAM authentication is supported starting from Agent version 7.57.
<YOUR_IAM_AUTH_DB_ROLE>
with the name of the IAM role<YOUR_AWS_ACCOUNT_FOR_AGENT>
with the AWS account ID where the Agent is running<YOUR_AGENT_EC2_ROLE>
with the IAM role of the EC2 instance where the Agent is running<YOUR_IAM_AUTH_DB_POLICY_ARN>
with the ARN of the IAM policy created for DB authenticationaws iam create-role --role-name <YOUR_IAM_AUTH_DB_ROLE> --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_AWS_ACCOUNT_FOR_AGENT>:role/<YOUR_AGENT_EC2_ROLE>"
},
"Action": "sts:AssumeRole"
}
]
}'
aws iam attach-role-policy --role-name <YOUR_IAM_AUTH_DB_ROLE> --policy-arn <YOUR_IAM_AUTH_DB_POLICY_ARN>
<YOUR_AGENT_EC2_ROLE>
with the IAM role of the EC2 instance where the Agent is running<YOUR_IAM_AUTH_DB_ROLE>
with the name of the IAM role created for DB authentication<YOUR_AWS_ACCOUNT_FOR_DB>
with the AWS account ID where the RDS instance is locatedaws iam update-assume-role-policy --role-name <YOUR_AGENT_EC2_ROLE> --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_AWS_ACCOUNT_FOR_DB>:role/<YOUR_IAM_AUTH_DB_ROLE>"
},
"Action": "sts:AssumeRole"
}
]
}'
<YOUR_IAM_AUTH_DB_ROLE>
with the name of the IAM role created for DB authentication<YOUR_AWS_ACCOUNT_FOR_AGENT>
with the AWS account ID where the Agent is running<YOUR_AGENT_ECS_ROLE>
with the IAM role of the ECS task where the Agent is running<YOUR_IAM_AUTH_DB_POLICY_ARN>
with the ARN of the IAM policy created for DB authenticationaws iam create-role --role-name <YOUR_IAM_AUTH_DB_ROLE> --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_AWS_ACCOUNT_FOR_AGENT>:role/<YOUR_AGENT_ECS_ROLE>"
},
"Action": "sts:AssumeRole"
}
]
}'
aws iam attach-role-policy --role-name <YOUR_IAM_AUTH_DB_ROLE> --policy-arn <YOUR_IAM_AUTH_DB_POLICY_ARN>
<YOUR_AGENT_ECS_ROLE>
with the IAM role of the ECS task where the Agent is running<YOUR_IAM_AUTH_DB_ROLE>
with the name of the IAM role<YOUR_AWS_ACCOUNT_FOR_DB>
with the AWS account ID where the RDS instance is locatedaws iam update-assume-role-policy --role-name <YOUR_AGENT_ECS_ROLE> --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_AWS_ACCOUNT_FOR_DB>:role/<YOUR_IAM_AUTH_DB_ROLE>"
},
"Action": "sts:AssumeRole"
}
]
}'
<YOUR_IAM_AUTH_DB_ROLE>
with the name of the IAM role<YOUR_AWS_ACCOUNT_FOR_AGENT>
with the AWS account ID where the Agent is running<YOUR_AGENT_EKS_ROLE>
with the IAM role to be used by the EKS pods where the Agent is running<YOUR_IAM_AUTH_DB_POLICY_ARN>
with the ARN of the IAM policy created for DB authenticationaws iam create-role --role-name <YOUR_IAM_AUTH_DB_ROLE> --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_AWS_ACCOUNT_FOR_AGENT>:role/<YOUR_AGENT_EKS_ROLE>"
},
"Action": "sts:AssumeRole"
}
]
}'
aws iam attach-role-policy --role-name <YOUR_IAM_AUTH_DB_ROLE> --policy-arn <YOUR_IAM_AUTH_DB_POLICY_ARN>
<YOUR_AGENT_EKS_ROLE>
with the EKS Service Account IAM role the Agent is using<YOUR_IAM_AUTH_DB_ROLE>
with the name of the IAM role<YOUR_AWS_ACCOUNT_FOR_DB>
with the AWS account ID where the RDS instance is locatedaws iam update-assume-role-policy --role-name <YOUR_AGENT_EKS_ROLE> --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_AWS_ACCOUNT_FOR_DB>:role/<YOUR_IAM_AUTH_DB_ROLE>"
},
"Action": "sts:AssumeRole"
}
]
}'
<YOUR_EKS_REGION>
and <YOUR_EKS_CLUSTER>
with the region and name of your EKS cluster<YOUR_IAM_AUTH_DB_POLICY_ARN>
with the ARN of the IAM policy created for DB authentication<YOUR_IAM_AUTH_SERVICE_ACCOUNT>
and <YOUR_IAM_AUTH_SERVICE_ACCOUNT_NAMESPACE>
with the name and namespace of the service account<YOUR_AGENT_EKS_ROLE>
with the IAM role to be used by the EKS pods where the Agent is running$ eksctl utils associate-iam-oidc-provider \
--region <YOUR_EKS_REGION> \
--cluster <YOUR_EKS_CLUSTER> \
--approve
$ eksctl create iamserviceaccount \
--cluster <YOUR_EKS_CLUSTER> \
--name <YOUR_IAM_AUTH_SERVICE_ACCOUNT> \
--namespace <YOUR_IAM_AUTH_SERVICE_ACCOUNT_NAMESPACE> \
--role-name arn:aws:iam::<YOUR_AWS_ACCOUNT_FOR_AGENT>:role/<YOUR_AGENT_EKS_ROLE> \
--override-existing-serviceaccounts \
--approve
Update your Postgres instance config with an aws
block as shown below:
region
of the RDS instancemanaged_authentication.enabled
to true
<YOUR_AWS_ACCOUNT_FOR_DB>
with the AWS account ID where the RDS instance is located, and <YOUR_IAM_AUTH_DB_ROLE>
with the name of the IAM role created in step 1instances:
- host: example-endpoint.us-east-2.rds.amazonaws.com
port: 5432
username: datadog
dbm: true
aws:
instance_endpoint: example-endpoint.us-east-2.rds.amazonaws.com
region: us-east-2
managed_authentication:
enabled: true
role_arn: arn:aws:iam::<YOUR_AWS_ACCOUNT_FOR_DB>:role/<YOUR_IAM_AUTH_DB_ROLE>
Azure allows users to configure managed identity authentication for any resource that can access Microsoft Entra ID, formerly Azure Active Directory. The Datadog Agent supports both user and system assigned managed identity authentication to your cloud databases.
In order to configure authentication to your PostgreSQL Flexible or Single Server instance, do the following:
select * from pgaadauth_create_principal('<IDENTITY_NAME>', false, false);
Create the following schema in every database:
CREATE SCHEMA datadog;
GRANT USAGE ON SCHEMA datadog TO "<IDENTITY_NAME>";
GRANT USAGE ON SCHEMA public TO "<IDENTITY_NAME>";
GRANT pg_monitor TO datadog;
Create the function in every database to enable the Agent to collect explain plans.
CREATE OR REPLACE FUNCTION datadog.explain_statement(
l_query TEXT,
OUT explain JSON
)
RETURNS SETOF JSON AS
$$
DECLARE
curs REFCURSOR;
plan JSON;
BEGIN
OPEN curs FOR EXECUTE pg_catalog.concat('EXPLAIN (FORMAT JSON) ', l_query);
FETCH curs INTO plan;
CLOSE curs;
RETURN QUERY SELECT plan;
END;
$$
LANGUAGE 'plpgsql'
RETURNS NULL ON NULL INPUT
SECURITY DEFINER
azure.managed_authentication
YAML block, where the CLIENT_ID
is the Client ID of the Managed Identity:instances:
- host: example-flex-server.postgres.database.azure.com
dbm: true
username: "<IDENTITY_NAME>"
ssl: "require"
azure:
deployment_type: flexible_server
fully_qualified_domain_name: example-flex-server.postgres.database.azure.com
managed_authentication:
enabled: true
client_id: "<CLIENT_ID>"
# Optionally set the scope from where to request the identity token
identity_scope: "https://ossrdbms-aad.database.windows.net/.default"
In order to configure authentication to your Azure SQL DB or Azure Managed Instance, do the following:
master
database:CREATE LOGIN <MANAGED_IDENTITY_NAME> FROM EXTERNAL PROVIDER;
CREATE USER <MANAGED_IDENTITY_NAME> FOR LOGIN <MANAGED_IDENTITY_NAME>;
GRANT CONNECT ANY DATABASE to <MANAGED_IDENTITY_NAME>;
GRANT VIEW SERVER STATE to <MANAGED_IDENTITY_NAME>;
GRANT VIEW ANY DEFINITION to <MANAGED_IDENTITY_NAME>;
GO
If you are using Azure SQL DB, run the following from the master
database:
CREATE LOGIN <MANAGED_IDENTITY_NAME> FROM EXTERNAL PROVIDER;
CREATE USER datadog FOR LOGIN <MANAGED_IDENTITY_NAME>;
ALTER SERVER ROLE ##MS_ServerStateReader## ADD MEMBER <MANAGED_IDENTITY_NAME>;
ALTER SERVER ROLE ##MS_DefinitionReader## ADD MEMBER <MANAGED_IDENTITY_NAME>;
And then create the user in every database:
CREATE USER <DBM_DATADOG_TEST_IDENTITY> FOR LOGIN <DBM_DATADOG_TEST_IDENTITY>;
managed_identity
config block:Note: ODBC Driver 17 for SQL Server or greater is required to use this feature.
instances:
- host: "example.cfcc2366ab90.database.windows.net,1433"
connector: "odbc"
driver: "{ODBC Driver 18 for SQL Server}"
dbm: true
connection_string: "TrustServerCertificate=no;Encrypt=yes;"
managed_identity:
client_id: "<CLIENT_ID>"
azure:
deployment_type: managed_instance
fully_qualified_domain_name: example.cfcc2366ab90.database.windows.net