Reputation: 593
How to rotate API and application keys in Datadog
In Datadog, I have a couple of API and Application keys that are actively being used by internal applications, most of the keys are owned by individual persons, who are no longer in the team. Now how do I rotate them and transfer them to a service account instead of an individual person without downtime or less downtime? Any suggestions or ideas?
Upvotes: 1
Views: 3772
Answers (1)
Reputation: 1953
API keys do not need to be replaced when a user is deleted. They belong to your entire account, and if the creator of the tag is deleted, the API key still works just fine. API keys are like the password to your organization, and are used for submitting data.
https://docs.datadoghq.com/account_management/api-app-keys/#api-keys
Application keys are used for automating behaviors in your account. Anything a user can do in the account like create a dashboard or edit a monitor, the application key will be required for when using the API. Application keys are tied to a specific user and will inherit all the permissions of that user. So if that user does not have the ability to edit dashboards, neither will the Application Key.
You can avoid the issue of general automation tasks being tied to a specific human by utilizing service accounts. Service accounts are meant to be robotic users, which can be provided roles and create application keys. They should be linked to a common distribution list that your team has access to so it's not tied to a single person.
Upvotes: 4
Related Questions
- DataDog API Key permission boundaries
- Datadog log remapper with change of value
- DataDog send custom data from RUM
- Multiple values for one key for a Datadog metric?
- How to configure DD_DOGSTATSD_MAPPER_PROFILES in datadog airflow integration?
- Metrics sent via Datadog HTTP API does not get reflected in Metric Explorer
- datadog API python auth
- CKAN API key rotation
- How to get Datadog Alert data through API call
- Creating a datadog dashboard using REST API