datadog-secret-backend is an implementation of the Datadog Agent Secrets Management executable supporting multiple backend secret providers.
| Backend | Provider | Description |
|---|---|---|
| aws.secrets | aws | Datadog secrets in AWS Secrets Manager |
| aws.ssm | aws | Datadog secrets in AWS Systems Manager Parameter Store |
| azure.keyvault | azure | Datadog secrets in Azure Key Vault |
| hashicorp.vault | hashicorp | Datadog secrets in Hashicorp Vault |
| file.json | file | Datadog secrets in local JSON files |
| file.yaml | file | Datadog secrets in local YAML files |
-
Make a new folder to hold all the files required for this module in one place (in this example will use
datadog-secret-backend:## Linux mkdir -p /etc/datadog-secret-backend ## Windows mkdir 'C:\Program Files\datadog-secret-backend\' -
Download the most recent version of the secret backend module by hitting the latest release endpoint from this repo by running one of the commands below:
## Linux (amd64) curl -L https://github.com/DataDog/datadog-secret-backend/releases/latest/download/datadog-secret-backend-linux-amd64.tar.gz \ -o /tmp/datadog-secret-backend-linux-amd64.tar.gz ## Linux (386) curl -L https://github.com/DataDog/datadog-secret-backend/releases/latest/download/datadog-secret-backend-linux-386.tar.gz \ -o /tmp/datadog-secret-backend-linux-386.tar.gz ## Windows (amd64) Invoke-WebRequest https://github.com/DataDog/datadog-secret-backend/releases/latest/download/datadog-secret-backend-windows-amd64.zip -OutFile 'C:\Program Files\datadog-secret-backend\datadog-secret-backend-windows-amd64.zip' ## Windows (386) Invoke-WebRequest https://github.com/DataDog/datadog-secret-backend/releases/latest/download/datadog-secret-backend-windows-386.zip -OutFile 'C:\Program Files\datadog-secret-backend\datadog-secret-backend-windows-386.zip' -
Once you have the file from the github repo, you'll need to unzip it to get the executable:
## Linux (amd64, change end of filename to "386" if needed) tar -xvzf /tmp/datadog-secret-backend-linux-amd64.tar.gz \ -C /etc/datadog-secret-backend ## Windows (amd64, change end of filename to "386" if needed) Expand-Archive -LiteralPath 'C:\Program Files\datadog-secret-backend\datadog-secret-backend-windows-amd64.zip' -DestinationPath 'C:\Program Files\datadog-secret-backend\' -
(Optional) Remove the old tar'd file:
## Linux rm /tmp/datadog-secret-backend-linux-amd64.tar.gz ## Windows Remove-Item 'C:\Program Files\datadog-secret-backend\datadog-secret-backend-windows-amd64.zip' -
Update the executable to have the required permissions. Datadog agent expects the executable to only be used by the
dd-agentuser for Linux andddagentuserfor Windows.## Linux chown dd-agent:root /etc/datadog-secret-backend/datadog-secret-backend chmod 500 /etc/datadog-secret-backend/datadog-secret-backend ## Windows 1) Right click on the "datadog-secret-backend.exe" and select "Properties". 2) Click on the Security tab. 3) Edit the permissions, disable permission inheritance, and then remove all existing permissions. 4) Add full access to the "ddagentuser" and save your permissions. -
Provide an executable path to the datadog agent via the main
datadog.yamlfile using thesecret_backend_commandvariable:## datadog.yaml ## secret_backend_command: /etc/datadog-secret-backend/datadog-secret-backend -
Provide a configuration for the secrets executable. Documentation for each supported provider can be found here.
Reference each supported backend type's documentation on specific usage examples and configuration options.
