Reputation: 3750
DataDog API Key permission boundaries
We use DogStatsD in our Fargate (running as a side-car container as DataDog recommends) and DataDog Lambda extensions (copied to /opt/extensions/ in the Lambda container image) to send metrics and logs to datadog.
Both these need access to DataDog API Key. The problem we are facing is that we are unable to find a way to put restriction on what an API Key can do. This introduces attack surface.
Any API Key can submit metrics/logs with same tags and so on. We were looking for key level isolation. Eg. if we had API Key-A only permitted to emit metrics/logs with tags env:dev and API Key-B has no such limitation then we could distribute API Key-A freely to all the devs while API-Key-B could be gated and used only in the production environments which emit metrics with tags env:prod. That way API Key-A and its holder would not be able to interfere with production metrics in intentional/unintentional ways.
Currently I don't see how I can do this, all API Keys have the same permissions. If API Key-A which was more freely distributed, got compromised, it could affect the production metrics which is bad.
My question is, is there any recommendation to help with this? Can we set permissions on what API Key can/cannot do (eg. not allowed to emit certain tags etc.)?
Or is the only solution here an account level isolation, in which all the production metrics and logs be sent to a separate DataDog account and keys of those accounts be more restricted than say an account for dev metrics and logs? Does DataDog provide any account management like AWS does with organisation and linked accounts and so on, which makes it easy to have every team get a set of accounts for their services and are thus provided impact isolation from other teams and envrionments and so on?
Upvotes: 1
Views: 1324
Answers (1)
Reputation: 3750
I reached out to DataDog and they explained that there is no such feature as of today - ie. setting permission boundaries on API-Keys or restricting what tags are allowed for certain API-Keys and so on. They did say they would log a feature request for it.
In the meantime the solution is to use the Multi-Org setup as explained in their docs and just use separate DataDog accounts for granularity.
Upvotes: 1
Related Questions
- DataDog metric query explanation
- Datadog agent do not send data
- Multiple values for one key for a Datadog metric?
- How to configure DD_DOGSTATSD_MAPPER_PROFILES in datadog airflow integration?
- How to rotate API and application keys in Datadog
- Metrics sent via Datadog HTTP API does not get reflected in Metric Explorer
- datadog API python auth
- Send data to Datadog using Go
- How to get Datadog Alert data through API call
- Creating a datadog dashboard using REST API