Many of our integrations require credentials to retrieve metrics. To avoid hardcoding these credentials in the Autodiscovery templates, you can use this feature to separate them from the template itself.
This script is available in the docker image as /readsecret.py and is intended
to be used with the agent's external secret feature. Please refer to this feature's documentation for usage examples.
-
The script requires a folder passed as argument. Secret handles will be interpreted as file names, relative to this folder. The script will refuse to access any file out of this root folder (including symbolic link targets), in order to avoid leaking sensitive information.
-
For now, this script is incompatible with OpenShift restricted SCC operations and requires that the Agent runs as the
rootuser. -
Starting with version 6.10.0,
ENC[]tokens in config values passed as environment variables are supported. Previous versions only supportENC[]tokens found indatadog.yamland in Autodiscovery templates.
Docker secrets are mounted in the /run/secrets folder. You need to pass the following environment variables to your agent container:
DD_SECRET_BACKEND_COMMAND=/readsecret.pyDD_SECRET_BACKEND_ARGUMENTS=/run/secrets
To use the db_prod_password secret value, exposed in the /run/secrets/db_prod_password file, just insert ENC[db_prod_password] in your template.
Kubernetes supports exposing secrets as files inside a pod.
If your secrets are mounted in /etc/secret-volume, just use the following environment variables:
DD_SECRET_BACKEND_COMMAND=/readsecret.pyDD_SECRET_BACKEND_ARGUMENTS=/etc/secret-volume
Following the linked example, the password field will be stored in the /etc/secret-volume/password file, and accessible via the ENC[password] token.
Note: We recommend using a dedicated folder instead of /var/run/secrets, as the script will be able to access all subfolders, including the sensitive /var/run/secrets/kubernetes.io/serviceaccount/token file.