Datadog Integration with AWS SSM Keystore

If you ever used Datadog, might have configured the YAML at agent level to fetch metric. What if we have SQL, Oracle etc, where you need to connect to database using credential to fetch metric (default or custom metric). Mostly, people hard-code credential and make prone to compromise security.

Recommended approach is to refer credential using password vault like Azure Key Vault, AWS SSM Key store etc.

The Datadog agent is able to leverage the secrets package to call a user-provided executable to handle retrieval and decryption of secrets, which are then loaded in memory by the Agent. This approach allows users to rely on any secrets management backend (such as AWS SSM Vault, Azure Key Vault or AWS Secrets Manager), and select their preferred authentication method to establish initial trust with it.

I will give you python code snipped that can be used by Datadog to fetch credential from AWS SSM Key store. Below are key considerations:

• Custom python code referred in Datadog. This code can be written in go, python etc. Ensure its in executable form and copied in designated DD folder with appropriate permission (Read this for more info — https://docs.datadoghq.com/agent/guide/secrets-management/?tab=linux)
• python code will fetch the cred from SSM using EC2 assume role
• Datadog agent will load (in encrypted form) and refer to connect to database