If your Go Lambda functions are still using runtime go1.x and you cannot migrate to the provided.al2 runtime, you must instrument using the Datadog Forwarder. Otherwise, follow the instructions in this guide to instrument using the Datadog Lambda Extension.
If your Lambda functions are deployed in a VPC without access to the public internet, you can send data either using AWS PrivateLink for the datadoghq.com Datadog site, or using a proxy for all other sites.

Installation

The Datadog Serverless Plugin automatically configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension.

To install and configure the Datadog Serverless Plugin, follow these steps:

Install the Datadog Serverless Plugin:

serverless plugin install --name serverless-plugin-datadog

Update your serverless.yml:

custom:
  datadog:
    site: <DATADOG_SITE>
    apiKeySecretArn: <DATADOG_API_KEY_SECRET_ARN>

To fill in the placeholders:

  • Replace <DATADOG_SITE> with your Datadog site to send the telemetry to.
  • Replace <DATADOG_API_KEY_SECRET_ARN> with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can instead use apiKey and set the Datadog API key in plaintext.

For more information and additional settings, see the plugin documentation.

  1. Install the Datadog Lambda Extension

    COPY --from=public.ecr.aws/datadog/lambda-extension:<TAG> /opt/. /opt/
    

    Replace <TAG> with either a specific version number (for example, 66) or with latest. Alpine is also supported with specific version numbers (such as 66-alpine) or with latest-alpine. You can see a complete list of possible tags in the Amazon ECR repository.

  2. Set the required environment variables

    • Set DD_SITE to (ensure the correct SITE is selected on the right).
    • Set DD_API_KEY_SECRET_ARN to the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use DD_API_KEY instead and set the Datadog API key in plaintext.
    • Optionally set DD_UNIVERSAL_INSTRUMENTATION: true to take advantage of advanced configurations such as capturing the Lambda request and response payloads and inferring APM spans from incoming Lambda events.

Install the Datadog Lambda Extension

Add the Lambda layer of Datadog Lambda Extension to your Lambda functions, using the ARN format based on your AWS region and architecture:

# Use this format for x86-based Lambda deployed in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension:66

# Use this format for arm64-based Lambda deployed in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM:66

# Use this format for x86-based Lambda deployed in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:66

# Use this format for arm64-based Lambda deployed in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:66

Replace <AWS_REGION> with a valid AWS region, such as us-east-1.

Configure the required environment variables

  • Set DD_SITE to (ensure the correct SITE is selected on the right).
  • Set DD_API_KEY_SECRET_ARN to the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use DD_API_KEY instead and set the Datadog API key in plaintext.

Install the Datadog Lambda library

go get github.com/DataDog/datadog-lambda-go

Update your Lambda function code

package main

import (
	"context"
	"net/http"
	"time"

	ddlambda "github.com/DataDog/datadog-lambda-go"
	"github.com/aws/aws-lambda-go/events"
	"github.com/aws/aws-lambda-go/lambda"
	httptrace "gopkg.in/DataDog/dd-trace-go.v1/contrib/net/http"
	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
)

func main() {
	// Wrap your lambda handler
	lambda.Start(ddlambda.WrapFunction(myHandler, nil))
}

func myHandler(ctx context.Context, _ events.APIGatewayProxyRequest) (string, error) {
	// Trace an HTTP request
	req, _ := http.NewRequestWithContext(ctx, "GET", "https://www.datadoghq.com", nil)
	client := http.Client{}
	client = *httptrace.WrapClient(&client)
	client.Do(req)

	// Submit a custom metric
	ddlambda.Metric(
		"coffee_house.order_value",      // Metric name
		12.45,                           // Metric value
		"product:latte", "order:online", // Associated tags
	)

	// Create a custom span
	s, _ := tracer.StartSpanFromContext(ctx, "child.span")
	time.Sleep(100 * time.Millisecond)
	s.Finish()
	return "ok", nil
}

}

What’s next?

  • Congratulations! You can now view metrics, logs, and traces on the Serverless Homepage.
  • Turn on threat monitoring to get alerted on attackers targeting your service
  • See the troubleshooting guide if you have trouble collecting the telemetry
  • See the advanced configurations to
    • connect your telemetry using tags
    • collect telemetry for Amazon API Gateway, SQS, etc.
    • capture the Lambda request and response payloads
    • link errors of your Lambda functions to your source code
    • filter or scrub sensitive information from logs or traces

Further Reading