Support both plain text and JSON format for Secrets Manager API key #698
Conversation
- Modify get_api_key() to first treat Secrets Manager value as plain text
- If the value looks like JSON (starts with '{' and ends with '}'), parse it and look for common keys (DD_API_KEY, DATADOG_API_KEY)
- If JSON parsing fails or no common key is found, fall back to plain text
- Add test cases for both plain text and JSON formats
|
Thanks for the PR, this is great! However this code path is only taken when the user is not using the datadog lambda extension (which is the default for the last ~3 years), and only when the user is sending custom metrics with the Wanna write some rust? I think we should add this to the extension and release it at the same time as this change. |
|
Thanks! https://docs.datadoghq.com/ja/serverless/aws_lambda/instrumentation/python/?tab=containerimage This documentation appears to be up-to-date, but is this method no longer recommended? |
The intention is that this library, when configured with Datadog Lambda Extension, will use the extension to send metrics asynchronously to the backend. I think there are two possible explanations for the issue you encountered. The first is that the extension also failed to decrypt the key (because it lacks this implementation), so it entered a no-op loop and then this library could not write to it and fell back to talking directly to the API. The second is that this library is not correctly detecting the extension and is pushing data directly to the backend without using the extension at all (which is not ideal). I'm going to recommend that we close this for now as the proper place for this change is in https://github.com/datadog/datadog-lambda-extension/ where the API key is ultimately designed to be used (this library should be API-key free in nearly all cases). The second issue is that this would require changes across all of our runtime libraries and careful coordination with our documentation to ensure that this change is consistent everywhere. Thank you very much for your contribution though! |
|
Thanks for your explanation! I understand. However, on the other hand, since the function is named get_api_key, |
2 participants
What does this PR do?
This PR enhances the
get_api_key()function to support both plain text and JSON format values from AWS Secrets Manager. Previously, the function only supported plain text values. Now it can handle:DD_API_KEYorDATADOG_API_KEYThe function first treats the secret value as plain text. If the value looks like JSON (starts with
{and ends with}), it attempts to parse it and extract the API key from common key names. If JSON parsing fails or no common key is found, it falls back to treating the value as plain text.Motivation
Some users store their Datadog API keys in Secrets Manager as JSON objects (key-value pairs) rather than plain text. This change makes the library more flexible and compatible with different secret storage formats, improving the developer experience.
Testing Guidelines
Added comprehensive test cases covering:
api_keykeyDD_API_KEYkeyAll tests pass and maintain backward compatibility with existing plain text secrets.
Additional Notes
DD_API_KEY,DATADOG_API_KEYTypes of Changes
Check all that apply