datadog-secret-backend is an implementation of the Datadog Agent Secrets Management executable supporting multiple backend secret providers.
This project is not FIPS compliant.
IMPORTANT NOTE: If you're using an Agent version 7.70 or newer, setup is significantly simplified as the datadog-secret-backend binary is now bundled inside the Agent itself. In that case, you don’t need to install or manage the binary separately--please use the secret_backend_type and secret_backend_config config options in your datadog.yaml file instead. This method of setup is not compatible with FIPS either.
- For agents before <
7.70.0, you need to install the secret backend manually: Follow the manual installation instructions below. - Configure the backend type and its settings: Refer to the supported backends section for more information.
- You should reference secrets in your datadog.yaml file using the ENC[backend_id:secret_id] format. Here is more information on how this works.
- Any necessary configuration will be specified in a file named
datadog-secret-backend.yamlwhich should be located in the same directory as the installeddatadog-secret-backendexecutable.
| Backend | Provider | Description |
|---|---|---|
| aws.secrets | aws | Datadog secrets in AWS Secrets Manager |
| aws.ssm | aws | Datadog secrets in AWS Systems Manager Parameter Store |
| azure.keyvault | azure | Datadog secrets in Azure Key Vault |
| hashicorp.vault | hashicorp | Datadog secrets in Hashicorp Vault |
| file.json | file | Datadog secrets in local JSON files |
| file.yaml | file | Datadog secrets in local YAML files |
-
Make a new folder to hold all the files required for this module in one place (in this example will use
datadog-secret-backend:## Linux mkdir -p /etc/datadog-secret-backend ## Windows mkdir 'C:\Program Files\datadog-secret-backend\' -
Download the most recent version of the secret backend module by hitting the latest release endpoint from this repo by running one of the commands below:
## Linux (amd64) curl -L https://github.com/DataDog/datadog-secret-backend/releases/download/v0.3.0/datadog-secret-backend-linux-amd64.tar.gz \ -o /tmp/datadog-secret-backend-linux-amd64.tar.gz ## Linux (386) curl -L https://github.com/DataDog/datadog-secret-backend/releases/download/v0.3.0/datadog-secret-backend-linux-386.tar.gz \ -o /tmp/datadog-secret-backend-linux-386.tar.gz ## Windows (amd64) Invoke-WebRequest https://github.com/DataDog/datadog-secret-backend/releases/download/v0.3.0/datadog-secret-backend-windows-amd64.zip -OutFile 'C:\Program Files\datadog-secret-backend\datadog-secret-backend-windows-amd64.zip' ## Windows (386) Invoke-WebRequest https://github.com/DataDog/datadog-secret-backend/releases/download/v0.3.0/datadog-secret-backend-windows-386.zip -OutFile 'C:\Program Files\datadog-secret-backend\datadog-secret-backend-windows-386.zip' -
Once you have the file from the github repo, you'll need to unzip it to get the executable:
## Linux (amd64, change end of filename to "386" if needed) tar -xvzf /tmp/datadog-secret-backend-linux-amd64.tar.gz \ -C /etc/datadog-secret-backend ## Windows (amd64, change end of filename to "386" if needed) Expand-Archive -LiteralPath 'C:\Program Files\datadog-secret-backend\datadog-secret-backend-windows-amd64.zip' -DestinationPath 'C:\Program Files\datadog-secret-backend\' -
(Optional) Remove the old tar'd file:
## Linux rm /tmp/datadog-secret-backend-linux-amd64.tar.gz ## Windows Remove-Item 'C:\Program Files\datadog-secret-backend\datadog-secret-backend-windows-amd64.zip' -
Update the executable to have the required Agent security permissions.
-
Provide an executable path to the datadog agent via the main
datadog.yamlfile using thesecret_backend_commandvariable:## datadog.yaml ## secret_backend_command: /etc/datadog-secret-backend/datadog-secret-backend -
Provide a configuration for the secrets executable. Documentation for each supported provider can be found here.
Reference each supported backend type's documentation on specific usage examples and configuration options.