Skip to content

Commit bba8f71

Browse files
tianchutianchu
committed
Support fetching API Key from secrets manager
1 parent ce4c3bd commit bba8f71

File tree

2 files changed

+15
-11
lines changed

2 files changed

+15
-11
lines changed

README.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,9 +56,11 @@ functions:
5656
5757
## Environment Variables
5858
59-
The Datadog API must be defined as an environment variable via [AWS CLI](https://docs.aws.amazon.com/lambda/latest/dg/env_variables.html) or [Serverless Framework](https://serverless-stack.com/chapters/serverless-environment-variables.html):
59+
The Datadog API Key must be defined as one of the following environment variables via [AWS CLI](https://docs.aws.amazon.com/lambda/latest/dg/env_variables.html) or [Serverless Framework](https://serverless-stack.com/chapters/serverless-environment-variables.html):
6060
61-
- DD_API_KEY or DD_KMS_API_KEY (if encrypted by KMS)
61+
- DD_API_KEY
62+
- DD_KMS_API_KEY - the KMS-encrypted API Key, requires the `kms:Decrypt` permission
63+
- DD_API_KEY_SECRET_ARN - the Secret ARN to fetch API Key from the Secrets Manager, requires the `secretsmanager:GetSecretValue` permission (also requires `kms:Decrypt` if using a custom CMK)
6264

6365
You can also supply or override the API key at runtime:
6466

datadog_lambda/metric.py

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -107,18 +107,20 @@ def submit_errors_metric(lambda_context):
107107
)
108108

109109

110-
# Decrypt code should run once and variables stored outside of the function
111-
# handler so that these are decrypted once per container
110+
# Set API Key and Host in the module, so they only set once per container
111+
DD_API_KEY_SECRET_ARN = os.environ.get("DD_API_KEY_SECRET_ARN", "")
112112
DD_KMS_API_KEY = os.environ.get("DD_KMS_API_KEY", "")
113-
if DD_KMS_API_KEY:
114-
DD_KMS_API_KEY = boto3.client("kms").decrypt(
113+
DD_API_KEY = os.environ.get("DD_API_KEY", os.environ.get("DATADOG_API_KEY", ""))
114+
if DD_API_KEY_SECRET_ARN:
115+
api._api_key = boto3.client("secretsmanager").get_secret_value(
116+
SecretId=DD_API_KEY_SECRET_ARN
117+
)["SecretString"]
118+
elif DD_KMS_API_KEY:
119+
api._api_key = boto3.client("kms").decrypt(
115120
CiphertextBlob=base64.b64decode(DD_KMS_API_KEY)
116121
)["Plaintext"]
117-
118-
# Set API Key and Host in the module, so they only set once per container
119-
api._api_key = os.environ.get(
120-
"DATADOG_API_KEY", os.environ.get("DD_API_KEY", DD_KMS_API_KEY)
121-
)
122+
else:
123+
api._api_key = DD_API_KEY
122124
logger.debug("Setting DATADOG_API_KEY of length %d", len(api._api_key))
123125

124126
# Set DATADOG_HOST, to send data to a non-default Datadog datacenter

0 commit comments

Comments
 (0)