From 50eed308014ca76ec0a0b273402cec5de0aa90df Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Wed, 6 Aug 2025 11:37:09 +0200 Subject: [PATCH 01/11] Add documentation for cloud-provider authentication preview feature --- .../cloud_provider_authentication.md | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 content/en/account_management/cloud_provider_authentication.md diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md new file mode 100644 index 0000000000000..95ec6a2bd3b3d --- /dev/null +++ b/content/en/account_management/cloud_provider_authentication.md @@ -0,0 +1,124 @@ +--- +title: Cloud-provider Based Authentication +aliases: + - /account_management/cloud_authentication/ +algolia: + tags: ['cloud authentication', 'aws authentication', 'terraform provider'] +--- + +# Overview + +Cloud-provider based authentication allows you to authenticate the Datadog Terraform provider using cloud provider credentials instead of static API and Application keys. This feature leverages your existing cloud identity and access management (IAM) systems to provide secure, temporary authentication to Datadog APIs. + +Currently, it only supports **AWS** authentication, with additional cloud providers planned for future releases. + +{{< callout url="https://www.datadoghq.com/product-preview/cloud-provider-authentication/" btn_hidden="false" header="Join the Preview!" >}} +Cloud-provider based authentication is in Preview. Complete the form to request access. +{{< /callout >}} + +## Benefits + +Cloud-provider based authentication offers several advantages over traditional API and Application key authentication: + +- **Reduced key management overhead**: Eliminates the need to manage and rotate static API and Application keys, +- **Enhanced security**: Leverages your cloud provider's robust IAM and temporary credential systems, +- **Seamless integration**: Works with your existing cloud roles and policies without additional credential management, + +## How it works for AWS + +The authentication process uses AWS Security Token Service (STS) to verify your identity: + +1. **Proof generation**: The Datadog Terraform provider creates a signed AWS STS `GetCallerIdentity` request using your current AWS credentials +2. **Proof validation**: Datadog validates the proof by calling AWS STS, which returns your AWS ARN, User ID, and Account ID +3. **Identity mapping**: Your AWS identity is mapped to a Datadog user account based on your organization's configuration +4. **Token issuance**: If validation succeeds, Datadog issues a temporary JWT token for API access +5. **API authentication**: The token is used for subsequent Datadog API calls + +## AWS Setup + +Setting up cloud-provider based authentication for AWS involves two main steps: + +### 1. Configure AWS identity mapping in Datadog + +First, you need to map your AWS identities (ARNs) to Datadog user accounts. Currently, this must be done using the Datadog API. + +**Create a new AWS identity mapping:** + +```bash +curl -X POST "https://api.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "Content-Type: application/json" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ +-d '{ + "data": { + "type": "aws_cloud_auth_config", + "attributes": { + "account_identifier": "terraform-service-account@myorg.com", + "arn_pattern": "arn:aws:sts::123456789012:assumed-role/terraform-runner" + } + } +}' +``` + +**List existing mappings:** + +```bash +curl -X GET "https://api.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" +``` + +**Note**: To use these APIs, you need the `cloud_auth_config_read` and `cloud_auth_config_write` permissions. + +### 2. Update your Terraform provider configuration + +Once you've configured the identity mapping, update your Datadog Terraform provider configuration to use cloud-provider authentication: + +**Replace your existing configuration:** + +```hcl +# Old configuration +provider "datadog" { + api_key = var.datadog_api_key + app_key = var.datadog_app_key +} +``` + +**With the new cloud authentication configuration:** + +```hcl +# New configuration using AWS authentication +provider "datadog" { + org_uuid = var.datadog_org_uuid + cloud_provider_type = "aws" +} +``` + +**Optional: Specify AWS credentials explicitly:** + +If you need to specify AWS credentials directly in your Terraform configuration instead of using environment variables or AWS credential files: + +```hcl +provider "datadog" { + org_uuid = var.datadog_org_uuid + cloud_provider_type = "aws" + aws_access_key_id = var.aws_access_key_id + aws_secret_access_key = var.aws_secret_access_key + aws_session_token = var.aws_session_token # If using temporary credentials +} +``` + +The Terraform provider will automatically use your configured AWS credentials to authenticate with Datadog. + + +## API Reference + +For detailed API documentation, see: +- [Cloud Authentication Configuration API](/api/latest/cloud-authentication/) +- [Delegated Token Generation API](/api/latest/authentication-tokens/) + +## Further reading + +- [Managing Datadog with Terraform](/getting_started/integrations/terraform/) +- [API and Application Keys](/account_management/api-app-keys/) +- [AWS Integration](/integrations/amazon_web_services/) \ No newline at end of file From 800a55b1d322dc1f99775d12bec9bda244d1feaa Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Wed, 6 Aug 2025 12:28:26 +0200 Subject: [PATCH 02/11] Improve language --- .../cloud_provider_authentication.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md index 95ec6a2bd3b3d..d9413a1884ec1 100644 --- a/content/en/account_management/cloud_provider_authentication.md +++ b/content/en/account_management/cloud_provider_authentication.md @@ -10,7 +10,7 @@ algolia: Cloud-provider based authentication allows you to authenticate the Datadog Terraform provider using cloud provider credentials instead of static API and Application keys. This feature leverages your existing cloud identity and access management (IAM) systems to provide secure, temporary authentication to Datadog APIs. -Currently, it only supports **AWS** authentication, with additional cloud providers planned for future releases. +It first only supports **AWS** authentication, with additional cloud providers planned for future releases. {{< callout url="https://www.datadoghq.com/product-preview/cloud-provider-authentication/" btn_hidden="false" header="Join the Preview!" >}} Cloud-provider based authentication is in Preview. Complete the form to request access. @@ -34,13 +34,13 @@ The authentication process uses AWS Security Token Service (STS) to verify your 4. **Token issuance**: If validation succeeds, Datadog issues a temporary JWT token for API access 5. **API authentication**: The token is used for subsequent Datadog API calls -## AWS Setup +## AWS setup Setting up cloud-provider based authentication for AWS involves two main steps: ### 1. Configure AWS identity mapping in Datadog -First, you need to map your AWS identities (ARNs) to Datadog user accounts. Currently, this must be done using the Datadog API. +First, you need to map your AWS identities (ARNs) to Datadog user accounts. During the preview, this must be done using the Datadog API. **Create a new AWS identity mapping:** @@ -72,7 +72,7 @@ curl -X GET "https://api.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ ### 2. Update your Terraform provider configuration -Once you've configured the identity mapping, update your Datadog Terraform provider configuration to use cloud-provider authentication: +After you've configured the identity mapping, update your Datadog Terraform provider configuration to use cloud-provider authentication: **Replace your existing configuration:** @@ -108,10 +108,10 @@ provider "datadog" { } ``` -The Terraform provider will automatically use your configured AWS credentials to authenticate with Datadog. +The Terraform provider automatically uses your configured AWS credentials to authenticate with Datadog. -## API Reference +## API reference For detailed API documentation, see: - [Cloud Authentication Configuration API](/api/latest/cloud-authentication/) From 1e65d40bfc07a2886eae4bb8ad240ff71d1f28c9 Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Wed, 6 Aug 2025 12:40:53 +0200 Subject: [PATCH 03/11] restructure the documentation --- .../cloud_provider_authentication.md | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md index d9413a1884ec1..bfa8186dfb694 100644 --- a/content/en/account_management/cloud_provider_authentication.md +++ b/content/en/account_management/cloud_provider_authentication.md @@ -6,41 +6,35 @@ algolia: tags: ['cloud authentication', 'aws authentication', 'terraform provider'] --- -# Overview - -Cloud-provider based authentication allows you to authenticate the Datadog Terraform provider using cloud provider credentials instead of static API and Application keys. This feature leverages your existing cloud identity and access management (IAM) systems to provide secure, temporary authentication to Datadog APIs. - -It first only supports **AWS** authentication, with additional cloud providers planned for future releases. - {{< callout url="https://www.datadoghq.com/product-preview/cloud-provider-authentication/" btn_hidden="false" header="Join the Preview!" >}} Cloud-provider based authentication is in Preview. Complete the form to request access. {{< /callout >}} -## Benefits +## Overview -Cloud-provider based authentication offers several advantages over traditional API and Application key authentication: +Cloud-provider based authentication allows you to authenticate the Datadog Terraform provider using cloud provider credentials instead of static API and Application keys. This feature leverages your existing cloud identity and access management systems to provide secure and temporary authentication to Datadog APIs. -- **Reduced key management overhead**: Eliminates the need to manage and rotate static API and Application keys, -- **Enhanced security**: Leverages your cloud provider's robust IAM and temporary credential systems, -- **Seamless integration**: Works with your existing cloud roles and policies without additional credential management, +The preview supports only **AWS**, with other cloud providers planned for future releases. ## How it works for AWS -The authentication process uses AWS Security Token Service (STS) to verify your identity: +The authentication process uses [AWS Security Token Service (STS)](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) to verify your identity: 1. **Proof generation**: The Datadog Terraform provider creates a signed AWS STS `GetCallerIdentity` request using your current AWS credentials 2. **Proof validation**: Datadog validates the proof by calling AWS STS, which returns your AWS ARN, User ID, and Account ID -3. **Identity mapping**: Your AWS identity is mapped to a Datadog user account based on your organization's configuration +3. **Identity mapping**: Your AWS identity is mapped to a Datadog service account or user account based on your organization's configuration 4. **Token issuance**: If validation succeeds, Datadog issues a temporary JWT token for API access 5. **API authentication**: The token is used for subsequent Datadog API calls +**Note**: We recommend to map your ARNs to a Datadog Service account. + ## AWS setup Setting up cloud-provider based authentication for AWS involves two main steps: ### 1. Configure AWS identity mapping in Datadog -First, you need to map your AWS identities (ARNs) to Datadog user accounts. During the preview, this must be done using the Datadog API. +First, you need to map your AWS identities (ARNs) to Datadog service accounts or user accounts. During the preview, this must be done using the Datadog API. **Create a new AWS identity mapping:** From 81f59e5ad26b07ae1e83cf2902f31e548ca599a8 Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Wed, 6 Aug 2025 12:52:47 +0200 Subject: [PATCH 04/11] add cloud provider based authentication to the main menu --- config/_default/menus/main.en.yaml | 5 +++++ config/_default/menus/main.es.yaml | 5 +++++ config/_default/menus/main.fr.yaml | 5 +++++ config/_default/menus/main.ja.yaml | 5 +++++ config/_default/menus/main.ko.yaml | 5 +++++ 5 files changed, 25 insertions(+) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 58d36ab9f003e..ff02732f5676f 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8000,6 +8000,11 @@ menu: url: account_management/guide/ parent: account_management weight: 14 + - name: Cloud-provider Based Authentication + identifier: account_management_cloud_auth + url: account_management/cloud_provider_authentication/ + parent: account_management + weight: 15 - name: Data Security url: data_security/ pre: security-lock diff --git a/config/_default/menus/main.es.yaml b/config/_default/menus/main.es.yaml index 251e066284767..4a6452289a3c4 100644 --- a/config/_default/menus/main.es.yaml +++ b/config/_default/menus/main.es.yaml @@ -6849,6 +6849,11 @@ menu: parent: account_management_scim url: account_management/scim/azure weight: 502 + - identifier: account_management_cloud_auth + name: Autenticación basada en proveedor en la nube + parent: account_management + url: account_management/cloud_provider_authentication/ + weight: 5.5 - identifier: account_management_api_app_keys name: Claves de aplicaciones y API parent: account_management diff --git a/config/_default/menus/main.fr.yaml b/config/_default/menus/main.fr.yaml index 82b312ddb5b05..aea075d16d824 100644 --- a/config/_default/menus/main.fr.yaml +++ b/config/_default/menus/main.fr.yaml @@ -6433,6 +6433,11 @@ menu: url: account_management/scim/azure parent: account_management_scim weight: 502 + - name: Authentification basée sur le fournisseur cloud + identifier: account_management_cloud_auth + url: account_management/cloud_provider_authentication/ + parent: account_management + weight: 5.5 - name: API and Application Keys identifier: account_management_api_app_keys url: account_management/api-app-keys/ diff --git a/config/_default/menus/main.ja.yaml b/config/_default/menus/main.ja.yaml index 15991022563b9..2ee6b1543c94b 100644 --- a/config/_default/menus/main.ja.yaml +++ b/config/_default/menus/main.ja.yaml @@ -6448,6 +6448,11 @@ menu: url: account_management/scim/azure parent: account_management_scim weight: 502 + - name: クラウドプロバイダーベース認証 + identifier: account_management_cloud_auth + url: account_management/cloud_provider_authentication/ + parent: account_management + weight: 5.5 - name: API and Application Keys identifier: account_management_api_app_keys url: account_management/api-app-keys/ diff --git a/config/_default/menus/main.ko.yaml b/config/_default/menus/main.ko.yaml index ac5dcbe60227f..48acb43da6f82 100644 --- a/config/_default/menus/main.ko.yaml +++ b/config/_default/menus/main.ko.yaml @@ -6453,6 +6453,11 @@ menu: url: account_management/scim/azure parent: account_management_scim weight: 502 + - name: 클라우드 공급자 기반 인증 + identifier: account_management_cloud_auth + url: account_management/cloud_provider_authentication/ + parent: account_management + weight: 5.5 - name: API 및 애플리케이션 키 identifier: account_management_api_app_keys url: account_management/api-app-keys/ From 06eb79c067bed66af53fc2f76df11d46cecf36ef Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Wed, 6 Aug 2025 12:55:18 +0200 Subject: [PATCH 05/11] remove cloud-based from other languages than en --- config/_default/menus/main.es.yaml | 5 ----- config/_default/menus/main.fr.yaml | 5 ----- config/_default/menus/main.ja.yaml | 5 ----- config/_default/menus/main.ko.yaml | 5 ----- 4 files changed, 20 deletions(-) diff --git a/config/_default/menus/main.es.yaml b/config/_default/menus/main.es.yaml index 4a6452289a3c4..251e066284767 100644 --- a/config/_default/menus/main.es.yaml +++ b/config/_default/menus/main.es.yaml @@ -6849,11 +6849,6 @@ menu: parent: account_management_scim url: account_management/scim/azure weight: 502 - - identifier: account_management_cloud_auth - name: Autenticación basada en proveedor en la nube - parent: account_management - url: account_management/cloud_provider_authentication/ - weight: 5.5 - identifier: account_management_api_app_keys name: Claves de aplicaciones y API parent: account_management diff --git a/config/_default/menus/main.fr.yaml b/config/_default/menus/main.fr.yaml index aea075d16d824..82b312ddb5b05 100644 --- a/config/_default/menus/main.fr.yaml +++ b/config/_default/menus/main.fr.yaml @@ -6433,11 +6433,6 @@ menu: url: account_management/scim/azure parent: account_management_scim weight: 502 - - name: Authentification basée sur le fournisseur cloud - identifier: account_management_cloud_auth - url: account_management/cloud_provider_authentication/ - parent: account_management - weight: 5.5 - name: API and Application Keys identifier: account_management_api_app_keys url: account_management/api-app-keys/ diff --git a/config/_default/menus/main.ja.yaml b/config/_default/menus/main.ja.yaml index 2ee6b1543c94b..15991022563b9 100644 --- a/config/_default/menus/main.ja.yaml +++ b/config/_default/menus/main.ja.yaml @@ -6448,11 +6448,6 @@ menu: url: account_management/scim/azure parent: account_management_scim weight: 502 - - name: クラウドプロバイダーベース認証 - identifier: account_management_cloud_auth - url: account_management/cloud_provider_authentication/ - parent: account_management - weight: 5.5 - name: API and Application Keys identifier: account_management_api_app_keys url: account_management/api-app-keys/ diff --git a/config/_default/menus/main.ko.yaml b/config/_default/menus/main.ko.yaml index 48acb43da6f82..ac5dcbe60227f 100644 --- a/config/_default/menus/main.ko.yaml +++ b/config/_default/menus/main.ko.yaml @@ -6453,11 +6453,6 @@ menu: url: account_management/scim/azure parent: account_management_scim weight: 502 - - name: 클라우드 공급자 기반 인증 - identifier: account_management_cloud_auth - url: account_management/cloud_provider_authentication/ - parent: account_management - weight: 5.5 - name: API 및 애플리케이션 키 identifier: account_management_api_app_keys url: account_management/api-app-keys/ From f18cc58e98423030730126d60cb31d6dabf982f0 Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Wed, 6 Aug 2025 16:57:42 +0200 Subject: [PATCH 06/11] docs: improve cloud authentication setup with navigation and requirements --- .../cloud_provider_authentication.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md index bfa8186dfb694..8b0ba89416247 100644 --- a/content/en/account_management/cloud_provider_authentication.md +++ b/content/en/account_management/cloud_provider_authentication.md @@ -30,6 +30,8 @@ The authentication process uses [AWS Security Token Service (STS)](https://docs. ## AWS setup +**Requirements**: Datadog Terraform provider version 3.70 or later. + Setting up cloud-provider based authentication for AWS involves two main steps: ### 1. Configure AWS identity mapping in Datadog @@ -88,6 +90,44 @@ provider "datadog" { } ``` +**Note**: To get your `org_uuid`, call this endpoint or click the link (requires active session in target org): + +{{% site-region region="us" %}} +``` +https://app.datadoghq.com/api/v2/current_user +``` +{{% /site-region %}} + +{{% site-region region="eu1" %}} +``` +https://app.datadoghq.eu/api/v2/current_user +``` +{{% /site-region %}} + +{{% site-region region="us3" %}} +``` +https://us3.datadoghq.com/api/v2/current_user +``` +{{% /site-region %}} + +{{% site-region region="us5" %}} +``` +https://us5.datadoghq.com/api/v2/current_user +``` +{{% /site-region %}} + +{{% site-region region="ap1" %}} +``` +https://ap1.datadoghq.com/api/v2/current_user +``` +{{% /site-region %}} + +{{% site-region region="gov" %}} +``` +https://app.ddog-gov.com/api/v2/current_user +``` +{{% /site-region %}} + **Optional: Specify AWS credentials explicitly:** If you need to specify AWS credentials directly in your Terraform configuration instead of using environment variables or AWS credential files: From a769d03f083aea0b0922bf55e44d86bd06d5c4c0 Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Wed, 6 Aug 2025 17:00:20 +0200 Subject: [PATCH 07/11] simplify intro --- content/en/account_management/cloud_provider_authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md index 8b0ba89416247..7b4d3e2089692 100644 --- a/content/en/account_management/cloud_provider_authentication.md +++ b/content/en/account_management/cloud_provider_authentication.md @@ -12,7 +12,7 @@ Cloud-provider based authentication is in Preview. Complete the form to request ## Overview -Cloud-provider based authentication allows you to authenticate the Datadog Terraform provider using cloud provider credentials instead of static API and Application keys. This feature leverages your existing cloud identity and access management systems to provide secure and temporary authentication to Datadog APIs. +Cloud-provider based authentication lets you authenticate the Datadog Terraform provider using cloud credentials instead of static API and Application keys. The preview supports only **AWS**, with other cloud providers planned for future releases. From 018f2d469335c54f653accd7a405720fc346ddb3 Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Thu, 7 Aug 2025 07:38:21 +0200 Subject: [PATCH 08/11] fix site URLs --- .../cloud_provider_authentication.md | 28 ++++++------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md index 7b4d3e2089692..a2ade25c3f137 100644 --- a/content/en/account_management/cloud_provider_authentication.md +++ b/content/en/account_management/cloud_provider_authentication.md @@ -93,39 +93,27 @@ provider "datadog" { **Note**: To get your `org_uuid`, call this endpoint or click the link (requires active session in target org): {{% site-region region="us" %}} -``` -https://app.datadoghq.com/api/v2/current_user -``` +[https://app.datadoghq.com/api/v2/current_user](https://app.datadoghq.com/api/v2/current_user) {{% /site-region %}} -{{% site-region region="eu1" %}} -``` -https://app.datadoghq.eu/api/v2/current_user -``` +{{% site-region region="eu" %}} +[https://app.datadoghq.eu/api/v2/current_user](https://app.datadoghq.eu/api/v2/current_user) {{% /site-region %}} {{% site-region region="us3" %}} -``` -https://us3.datadoghq.com/api/v2/current_user -``` +[https://us3.datadoghq.com/api/v2/current_user](https://us3.datadoghq.com/api/v2/current_user) {{% /site-region %}} {{% site-region region="us5" %}} -``` -https://us5.datadoghq.com/api/v2/current_user -``` +[https://us5.datadoghq.com/api/v2/current_user](https://us5.datadoghq.com/api/v2/current_user) {{% /site-region %}} -{{% site-region region="ap1" %}} -``` -https://ap1.datadoghq.com/api/v2/current_user -``` +{{% site-region region="ap" %}} +[https://ap1.datadoghq.com/api/v2/current_user](https://ap1.datadoghq.com/api/v2/current_user) {{% /site-region %}} {{% site-region region="gov" %}} -``` -https://app.ddog-gov.com/api/v2/current_user -``` +[https://app.ddog-gov.com/api/v2/current_user](https://app.ddog-gov.com/api/v2/current_user) {{% /site-region %}} **Optional: Specify AWS credentials explicitly:** From 14564821a179a7f0ead664948e71010753c5bfb7 Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Thu, 7 Aug 2025 07:41:25 +0200 Subject: [PATCH 09/11] minor language fixes --- .../en/account_management/cloud_provider_authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md index a2ade25c3f137..519d0d6e18a60 100644 --- a/content/en/account_management/cloud_provider_authentication.md +++ b/content/en/account_management/cloud_provider_authentication.md @@ -26,7 +26,7 @@ The authentication process uses [AWS Security Token Service (STS)](https://docs. 4. **Token issuance**: If validation succeeds, Datadog issues a temporary JWT token for API access 5. **API authentication**: The token is used for subsequent Datadog API calls -**Note**: We recommend to map your ARNs to a Datadog Service account. +**Note**: Prefer mapping ARNs to a Datadog Service account. ## AWS setup @@ -38,7 +38,7 @@ Setting up cloud-provider based authentication for AWS involves two main steps: First, you need to map your AWS identities (ARNs) to Datadog service accounts or user accounts. During the preview, this must be done using the Datadog API. -**Create a new AWS identity mapping:** +**Create an AWS identity mapping:** ```bash curl -X POST "https://api.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ From c6af040efb5493d05fa299914e08b330950c3c57 Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Thu, 7 Aug 2025 15:46:04 +0200 Subject: [PATCH 10/11] update the example based on user site --- .../cloud_provider_authentication.md | 134 ++++++++++++++++++ 1 file changed, 134 insertions(+) diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md index 519d0d6e18a60..4600af5ecfae6 100644 --- a/content/en/account_management/cloud_provider_authentication.md +++ b/content/en/account_management/cloud_provider_authentication.md @@ -40,6 +40,7 @@ First, you need to map your AWS identities (ARNs) to Datadog service accounts or **Create an AWS identity mapping:** +{{% site-region region="us" %}} ```bash curl -X POST "https://api.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ -H "Content-Type: application/json" \ @@ -55,14 +56,147 @@ curl -X POST "https://api.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ } }' ``` +{{% /site-region %}} + +{{% site-region region="eu" %}} +```bash +curl -X POST "https://api.datadoghq.eu/api/v2/cloud_auth/aws/persona_mapping" \ +-H "Content-Type: application/json" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ +-d '{ + "data": { + "type": "aws_cloud_auth_config", + "attributes": { + "account_identifier": "terraform-service-account@myorg.com", + "arn_pattern": "arn:aws:sts::123456789012:assumed-role/terraform-runner" + } + } +}' +``` +{{% /site-region %}} + +{{% site-region region="us3" %}} +```bash +curl -X POST "https://api.us3.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "Content-Type: application/json" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ +-d '{ + "data": { + "type": "aws_cloud_auth_config", + "attributes": { + "account_identifier": "terraform-service-account@myorg.com", + "arn_pattern": "arn:aws:sts::123456789012:assumed-role/terraform-runner" + } + } +}' +``` +{{% /site-region %}} + +{{% site-region region="us5" %}} +```bash +curl -X POST "https://api.us5.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "Content-Type: application/json" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ +-d '{ + "data": { + "type": "aws_cloud_auth_config", + "attributes": { + "account_identifier": "terraform-service-account@myorg.com", + "arn_pattern": "arn:aws:sts::123456789012:assumed-role/terraform-runner" + } + } +}' +``` +{{% /site-region %}} + +{{% site-region region="ap" %}} +```bash +curl -X POST "https://api.ap1.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "Content-Type: application/json" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ +-d '{ + "data": { + "type": "aws_cloud_auth_config", + "attributes": { + "account_identifier": "terraform-service-account@myorg.com", + "arn_pattern": "arn:aws:sts::123456789012:assumed-role/terraform-runner" + } + } +}' +``` +{{% /site-region %}} + +{{% site-region region="gov" %}} +```bash +curl -X POST "https://api.ddog-gov.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "Content-Type: application/json" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ +-d '{ + "data": { + "type": "aws_cloud_auth_config", + "attributes": { + "account_identifier": "terraform-service-account@myorg.com", + "arn_pattern": "arn:aws:sts::123456789012:assumed-role/terraform-runner" + } + } +}' +``` +{{% /site-region %}} **List existing mappings:** +{{% site-region region="us" %}} ```bash curl -X GET "https://api.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ``` +{{% /site-region %}} + +{{% site-region region="eu" %}} +```bash +curl -X GET "https://api.datadoghq.eu/api/v2/cloud_auth/aws/persona_mapping" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" +``` +{{% /site-region %}} + +{{% site-region region="us3" %}} +```bash +curl -X GET "https://api.us3.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" +``` +{{% /site-region %}} + +{{% site-region region="us5" %}} +```bash +curl -X GET "https://api.us5.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" +``` +{{% /site-region %}} + +{{% site-region region="ap" %}} +```bash +curl -X GET "https://api.ap1.datadoghq.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" +``` +{{% /site-region %}} + +{{% site-region region="gov" %}} +```bash +curl -X GET "https://api.ddog-gov.com/api/v2/cloud_auth/aws/persona_mapping" \ +-H "DD-API-KEY: ${DD_API_KEY}" \ +-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" +``` +{{% /site-region %}} **Note**: To use these APIs, you need the `cloud_auth_config_read` and `cloud_auth_config_write` permissions. From 9c18f8de2c8f8af6cc922123f88257082b337a51 Mon Sep 17 00:00:00 2001 From: Anthony Dagneaux Date: Thu, 7 Aug 2025 16:14:59 +0200 Subject: [PATCH 11/11] clarify that permissions are available only if org was added to the preview by datadog --- content/en/account_management/cloud_provider_authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/account_management/cloud_provider_authentication.md b/content/en/account_management/cloud_provider_authentication.md index 4600af5ecfae6..2ba02a676c0bc 100644 --- a/content/en/account_management/cloud_provider_authentication.md +++ b/content/en/account_management/cloud_provider_authentication.md @@ -198,7 +198,7 @@ curl -X GET "https://api.ddog-gov.com/api/v2/cloud_auth/aws/persona_mapping" \ ``` {{% /site-region %}} -**Note**: To use these APIs, you need the `cloud_auth_config_read` and `cloud_auth_config_write` permissions. +**Note**: To use these APIs, you need the `cloud_auth_config_read` and `cloud_auth_config_write` permissions. These permissions are available only after being onboarded to the preview. ### 2. Update your Terraform provider configuration