Instrumenting Java Serverless Applications
To fully instrument your serverless application with distributed tracing, your Java Lambda functions must be using the Java 8 Corretto (java8.al2), Java 11 (java11) or Java 17 (java17) runtimes with at least 1024 MB of memory.
If your Lambda functions are deployed in a VPC without access to the public internet, you can send data either using AWS PrivateLink for the datadoghq.com Datadog site, or using a proxy for all other sites.
If you previously set up your Lambda functions using the Datadog Forwarder, see instrumenting using the Datadog Forwarder. Otherwise, follow the instructions in this guide to instrument using the Datadog Lambda Extension.
If you are using the Datadog Lambda layers dd-trace-java:4 (or older) and Datadog-Extension:24 (or older), follow the special instructions to upgrade.
Installation
Datadog offers many different ways to enable instrumentation for your serverless applications. Choose a method below that best suits your needs. Datadog generally recommends using the Datadog CLI. You must follow the instructions for “Container Image” if your application is deployed as a container image.
The Datadog CLI modifies existing Lambda functions’ configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog’s serverless monitoring.
Install the Datadog CLI client
npm install -g @datadog/datadog-ci
If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps on this page. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment.
datadog-ci lambda instrument -i
Configure the AWS credentials
The Datadog CLI requires access to the AWS Lambda service and depends on the AWS JavaScript SDK to resolve the credentials. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI.
Configure the Datadog site
export DATADOG_SITE="<DATADOG_SITE>"
Replace <DATADOG_SITE> with
Configure your Datadog API key
Datadog recommends saving the Datadog API key in AWS Secrets Manager for security and easy rotation. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required secretsmanager:GetSecretValue IAM permission.
export DATADOG_API_KEY_SECRET_ARN="<DATADOG_API_KEY_SECRET_ARN>"
For quick testing purposes, you can also set the Datadog API key in plaintext:
export DATADOG_API_KEY="<DATADOG_API_KEY>"
Instrument your Lambda functions
Note: Instrument your Lambda functions in a dev or staging environment first. If your instrumentation results are unsatisfactory, you can run uninstrument with the same arguments to revert the changes.
To instrument your Lambda functions, run the following command.
datadog-ci lambda instrument -f <functionname> -f <another_functionname> -r <aws_region> -v 14 -e 57
To fill in the placeholders:
- Replace
<functionname> and <another_functionname> with your Lambda function names. Alternatively, you can use --functions-regex to automatically instrument multiple functions whose names match the given regular expression. - Replace
<aws_region> with the AWS region name.
Additional parameters can be found in the CLI documentation.
The Datadog Serverless Plugin automatically configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension.
To install and configure the Datadog Serverless Plugin, follow these steps:
Install the Datadog Serverless Plugin:
serverless plugin install --name serverless-plugin-datadog
Update your serverless.yml:
custom:
datadog:
site: <DATADOG_SITE>
apiKeySecretArn: <DATADOG_API_KEY_SECRET_ARN>
To fill in the placeholders:
- Replace
<DATADOG_SITE> with - Replace
<DATADOG_API_KEY_SECRET_ARN> with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can instead use apiKey and set the Datadog API key in plaintext.
For more information and additional settings, see the plugin documentation.
The Datadog CloudFormation macro automatically transforms your SAM application template to install Datadog on your functions using Lambda layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension.
Install the Datadog CloudFormation macro
Run the following command with your AWS credentials to deploy a CloudFormation stack that installs the macro AWS resource. You only need to install the macro once for a given region in your account. Replace create-stack with update-stack to update the macro to the latest version.
aws cloudformation create-stack \
--stack-name datadog-serverless-macro \
--template-url https://datadog-cloudformation-template.s3.amazonaws.com/aws/serverless-macro/latest.yml \
--capabilities CAPABILITY_AUTO_EXPAND CAPABILITY_IAM
The macro is now deployed and ready to use.
Instrument your Lambda functions
Add the DatadogServerless transform after the AWS::Serverless transform under the Transform section in your template.yml file for SAM.
Transform:
- AWS::Serverless-2016-10-31
- Name: DatadogServerless
Parameters:
stackName: !Ref "AWS::StackName"
javaLayerVersion: 14
extensionLayerVersion: 57
site: "<DATADOG_SITE>"
apiKeySecretArn: "<DATADOG_API_KEY_SECRET_ARN>"
To fill in the placeholders:
- Replace
<DATADOG_SITE> with - Replace
<DATADOG_API_KEY_SECRET_ARN> with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use apiKey instead and set the Datadog API key in plaintext.
More information and additional parameters can be found in the macro documentation.
Instrumenting Java functions through the Datadog CDK construct is only available for AWS CDK apps written in Node.js and Python.
The Datadog CDK construct automatically installs Datadog on your functions using Lambda layers. It configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension.
Install the Datadog CDK constructs library
Node.js:
# For AWS CDK v1
npm install datadog-cdk-constructs --save-dev
# For AWS CDK v2
npm install datadog-cdk-constructs-v2 --save-dev
Python:
# For AWS CDK v1
pip install datadog-cdk-constructs
# For AWS CDK v2
pip install datadog-cdk-constructs-v2
Instrument your Lambda functions
Node.js:
// For AWS CDK v1
import { Datadog } from "datadog-cdk-constructs";
// For AWS CDK v2
import { Datadog } from "datadog-cdk-constructs-v2";
const datadog = new Datadog(this, "Datadog", {
javaLayerVersion: 14,
extensionLayerVersion: 57,
site: "<DATADOG_SITE>",
apiKeySecretArn: "<DATADOG_API_KEY_SECRET_ARN>"
});
datadog.addLambdaFunctions([<LAMBDA_FUNCTIONS>])
Python:
# For AWS CDK v1
from datadog_cdk_constructs import Datadog
# For AWS CDK v2
from datadog_cdk_constructs_v2 import Datadog
datadog = Datadog(self, "Datadog",
java_layer_version=14,
extension_layer_version=57,
site="<DATADOG_SITE>",
api_key_secret_arn="<DATADOG_API_KEY_SECRET_ARN>",
)
datadog.add_lambda_functions([<LAMBDA_FUNCTIONS>])
To fill in the placeholders:
- Replace
<DATADOG_SITE> with - Replace
<DATADOG_API_KEY_SECRET_ARN> with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda execution role has the secretsmanager:GetSecretValue IAM permission in order to read the secret value. For quick testing, you can use apiKey instead and set the Datadog API key in plaintext.
More information and additional parameters can be found on the Datadog CDK documentation.
Install the Datadog Lambda Extension
COPY --from=public.ecr.aws/datadog/lambda-extension:<TAG> /opt/. /opt/
Replace <TAG> with either a specific version number (for example, 57) or with latest. Alpine is also supported with specific version numbers (such as 57-alpine) or with latest-alpine. You can see a complete list of possible tags in the Amazon ECR repository.
Install the Datadog Java APM client
RUN yum -y install tar wget gzip
RUN wget -O /opt/java/lib/dd-java-agent.jar 'https://dtdg.co/latest-java-tracer'
Set the required environment variables
- Set
AWS_LAMBDA_EXEC_WRAPPER to /opt/datadog_wrapper. - Set
DD_SITE to - Set
DD_API_KEY_SECRET_ARN to the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use DD_API_KEY instead and set the Datadog API key in plaintext.
Use this format for your Terraform resource:
resource "aws_lambda_function" "lambda" {
"function_name" = ...
...
# Remember sure to choose the right layers based on your Lambda architecture and AWS regions
layers = [
<DATADOG_TRACER_ARN>,
<DATADOG_EXTENSION_ARN>
]
environment {
variables = {
DD_SITE = <DATADOG_SITE>
DD_API_KEY_SECRET_ARN = <API_KEY>
AWS_LAMBDA_EXEC_WRAPPER = "/opt/datadog_wrapper"
}
}
}
Fill in variables accordingly:
Replace <DATADOG_TRACER_ARN> with the ARN of the appropriate Datadog tracer depending on your type of region:
| AWS REGIONS | LAYERS |
|---|
| Commercial | arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-java:14 |
| GovCloud | arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-java:14 |
In each ARN, replace <AWS_REGION> with a valid AWS region, such as us-east-1.
Replace <DATADOG_EXTENSION_ARN> with the ARN of the appropriate Datadog Lambda Extension for your region and architecture:
| AWS REGIONS | ARCHITECTURE | LAYERS |
|---|
| Commercial | x86_64 | arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension:57 |
| arm64 | arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM:57 |
| GovCloud | x86_64 | arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:57 |
| arm64 | arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:57 |
Replace <DATADOG_SITE> with
Replace <API_KEY> with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, use DD_API_KEY instead of DD_API_KEY_SECRET_ARN and set the value to your Datadog API key in plaintext.
Full example
resource "aws_lambda_function" "lambda" {
"function_name" = ...
...
# Remember sure to choose the right layers based on your Lambda architecture and AWS regions
layers = [
"arn:aws:lambda:us-east-1:464622532012:layer:dd-trace-java:14",
"arn:aws:lambda:us-east-1:464622532012:layer:Datadog-Extension:57"
]
environment {
variables = {
DD_SITE = datadoghq.com
DD_API_KEY_SECRET_ARN = "arn:aws..."
AWS_LAMBDA_EXEC_WRAPPER = "/opt/datadog_wrapper"
}
}
}
Install the Datadog Tracer
Configure the layers for your Lambda function using the ARN in the following format:
# Use this format for Lambda deployed in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-java:14
# Use this format for Lambda deployed in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-java:14
Replace <AWS_REGION> with a valid AWS region, such as us-east-1.
Install the Datadog Lambda Extension
Configure the layers for your Lambda function using the ARN in the following format:
# Use this format for x86-based Lambda deployed in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension:57
# Use this format for arm64-based Lambda deployed in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM:57
# Use this format for x86-based Lambda deployed in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:57
# Use this format for arm64-based Lambda deployed in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:57
Replace <AWS_REGION> with a valid AWS region, such as us-east-1.
Set the required environment variables
- Set
AWS_LAMBDA_EXEC_WRAPPER to /opt/datadog_wrapper. - Set
DD_SITE to - Set
DD_API_KEY_SECRET_ARN to the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use DD_API_KEY instead and set the Datadog API key in plaintext.
What’s next?
- You can now view metrics, logs, and traces on the Serverless Homepage.
- Turn on threat monitoring to get alerted on attackers targeting your service.
- Submit a custom metric or APM span to monitor your business logic.
- See the troubleshooting guide if you have trouble collecting the telemetry
- See the advanced configurations to
- connect your telemetry using tags
- collect telemetry for Amazon API Gateway, SQS, etc.
- capture the Lambda request and response payloads
- link errors of your Lambda functions to your source code
- filter or scrub sensitive information from logs or traces
Further Reading
Additional helpful documentation, links, and articles:
