Skip to content

Support fetching API Key from secrets manager #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 14, 2019
+15 −11
Merged

Support fetching API Key from secrets manager #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,11 @@ functions:
## Environment Variables
The Datadog API must be defined as an environment variable via [AWS CLI](https://docs.aws.amazon.com/lambda/latest/dg/env_variables.html) or [Serverless Framework](https://serverless-stack.com/chapters/serverless-environment-variables.html):
The Datadog API Key must be defined as one of the following environment variables via [AWS CLI](https://docs.aws.amazon.com/lambda/latest/dg/env_variables.html) or [Serverless Framework](https://serverless-stack.com/chapters/serverless-environment-variables.html):
- DD_API_KEY or DD_KMS_API_KEY (if encrypted by KMS)
- DD_API_KEY
- DD_KMS_API_KEY - the KMS-encrypted API Key, requires the `kms:Decrypt` permission
- DD_API_KEY_SECRET_ARN - the Secret ARN to fetch API Key from the Secrets Manager, requires the `secretsmanager:GetSecretValue` permission (also requires `kms:Decrypt` if using a custom CMK)

You can also supply or override the API key at runtime:

Expand Down
20 changes: 11 additions & 9 deletions datadog_lambda/metric.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,18 +107,20 @@ def submit_errors_metric(lambda_context):
)


# Decrypt code should run once and variables stored outside of the function
# handler so that these are decrypted once per container
# Set API Key and Host in the module, so they only set once per container
DD_API_KEY_SECRET_ARN = os.environ.get("DD_API_KEY_SECRET_ARN", "")
DD_KMS_API_KEY = os.environ.get("DD_KMS_API_KEY", "")
if DD_KMS_API_KEY:
DD_KMS_API_KEY = boto3.client("kms").decrypt(
DD_API_KEY = os.environ.get("DD_API_KEY", os.environ.get("DATADOG_API_KEY", ""))
if DD_API_KEY_SECRET_ARN:
api._api_key = boto3.client("secretsmanager").get_secret_value(
SecretId=DD_API_KEY_SECRET_ARN
)["SecretString"]
elif DD_KMS_API_KEY:
api._api_key = boto3.client("kms").decrypt(
CiphertextBlob=base64.b64decode(DD_KMS_API_KEY)
)["Plaintext"]

# Set API Key and Host in the module, so they only set once per container
api._api_key = os.environ.get(
"DATADOG_API_KEY", os.environ.get("DD_API_KEY", DD_KMS_API_KEY)
)
else:
api._api_key = DD_API_KEY
logger.debug("Setting DATADOG_API_KEY of length %d", len(api._api_key))

# Set DATADOG_HOST, to send data to a non-default Datadog datacenter
Expand Down