Add documentation for cloud-based authentication for the agent#34698
Open
wynbennett wants to merge 5 commits intomasterfrom
Open
Add documentation for cloud-based authentication for the agent#34698wynbennett wants to merge 5 commits intomasterfrom
wynbennett wants to merge 5 commits intomasterfrom
Conversation
Contributor
Preview links (active after the
|
Contributor
|
Editorial review: DOCS-13452 |
anthony-dgx
approved these changes
Feb 20, 2026
urseberry
requested changes
Feb 20, 2026
Contributor
urseberry
left a comment
urseberry
left a comment
There was a problem hiding this comment.
Nicely written and organized! Thank you for contributing to the public documentation.
|
|
||
| During the preview period, AWS is the only supported cloud provider. | ||
|
|
||
| Cloud-based authentication is available for: |
Contributor
There was a problem hiding this comment.
Suggested change
| Cloud-based authentication is available for: | |
| Cloud-based authentication is available for the following: |
| Cloud-based authentication for the Agent allows you to authenticate your Agent using AWS credentials instead of managing static API keys. The Agent exchanges an AWS authentication proof for a managed API key that Datadog automatically rotates. | ||
|
|
||
| **Requirements**: | ||
| - The version `7.78.0` or later of the Datadog Agent. |
Contributor
There was a problem hiding this comment.
Suggested change
| - The version `7.78.0` or later of the Datadog Agent. | |
| - Version `7.78.0` or later of the Datadog Agent. |
| - The version `7.78.0` or later of the Datadog Agent. | ||
| - The Agent runs in an AWS environment with access to AWS credentials (for example, an EC2 instance with an IAM role, ECS task, or EKS pod). | ||
| - You have configured the [Datadog-AWS integration][4] and added your AWS account. See the [AWS Integration docs][3]. | ||
| - The `cloud_auth_config_read` and `cloud_auth_config_write` permissions. These permissions are available only after you are onboarded to the preview. |
Contributor
There was a problem hiding this comment.
Suggested change
| - The `cloud_auth_config_read` and `cloud_auth_config_write` permissions. These permissions are available only after you are onboarded to the preview. | |
| - Your account has the `cloud_auth_config_read` and `cloud_auth_config_write` permissions. These permissions are available only after you are onboarded to the preview. |
|
|
||
| <div class="alert alert-info">For intake mapping to work, your AWS account <strong>must be integrated</strong> with Datadog through the <a href="https://app.datadoghq.com/integrations/amazon-web-services">Datadog-AWS integration</a>. If an AWS account is not integrated, the authentication flow cannot verify the caller, and mapping fails.</div> | ||
|
|
||
| First, configure intake mappings to authorize specific AWS ARN patterns for Agent authentication. Unlike persona mapping used for Terraform, intake mapping only requires an ARN pattern—no Datadog account identifier is needed because the Agent authenticates to send data rather than perform user actions. |
Contributor
There was a problem hiding this comment.
Suggested change
| First, configure intake mappings to authorize specific AWS ARN patterns for Agent authentication. Unlike persona mapping used for Terraform, intake mapping only requires an ARN pattern—no Datadog account identifier is needed because the Agent authenticates to send data rather than perform user actions. | |
| First, configure intake mappings to authorize specific AWS ARN patterns for Agent authentication. Unlike the persona mapping used for Terraform, intake mapping only requires an ARN pattern. No Datadog account identifier is needed, because the Agent authenticates to send data rather than perform user actions. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
This adds documentation for cloud-based authentication for the agent
Merge instructions
Merge readiness:
For Datadog employees:
Your branch name MUST follow the
<name>/<description>convention and include the forward slash (/). Without this format, your pull request will not pass CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.
Additional notes