From 633834b3df0949cf6ad3ed8fd5fc53fb3e23fcdc Mon Sep 17 00:00:00 2001 From: Heston Hoffman Date: Wed, 13 May 2026 15:41:20 -0700 Subject: [PATCH 1/2] (AWS) Update IDs --- .../en/integrations/guide/aws-manual-setup.md | 5 +- .../integrations/guide/aws-terraform-setup.md | 246 +++++++++++++++++- ...-datadog-not-authorized-sts-assume-role.md | 64 ++++- 3 files changed, 312 insertions(+), 3 deletions(-) diff --git a/content/en/integrations/guide/aws-manual-setup.md b/content/en/integrations/guide/aws-manual-setup.md index 5a490027d81..a29f9a3c392 100644 --- a/content/en/integrations/guide/aws-manual-setup.md +++ b/content/en/integrations/guide/aws-manual-setup.md @@ -95,9 +95,12 @@ Datadog assumes this role to collect data on your behalf. {{< site-region region="ap2" >}} 3. Enter `412381753143` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. {{< /site-region >}} -{{< site-region region="gov,gov2" >}} +{{< site-region region="gov" >}} 3. If the AWS account you want to integrate is a GovCloud account, enter `065115117704` as the `Account ID`, otherwise enter `392588925713`. This is Datadog's account ID, and grants Datadog access to your AWS data. {{< /site-region >}} +{{< site-region region="gov2" >}} +3. If the AWS account you want to integrate is a GovCloud account, enter `486737091498` as the `Account ID`, otherwise enter `382742775718`. This is Datadog's account ID, and grants Datadog access to your AWS data. +{{< /site-region >}} **Note**: Ensure that the **DATADOG SITE** selector on the right of this documentation page is set to your Datadog site before copying the account ID above. 4. Select **Require external ID** and enter the external ID copied in the previous section. diff --git a/content/en/integrations/guide/aws-terraform-setup.md b/content/en/integrations/guide/aws-terraform-setup.md index 842ae26c576..6188a17fa5a 100644 --- a/content/en/integrations/guide/aws-terraform-setup.md +++ b/content/en/integrations/guide/aws-terraform-setup.md @@ -387,7 +387,7 @@ resource "datadog_integration_aws_account" "datadog_integration" { [2]: https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws {{< /site-region >}} -{{< site-region region="gov,gov2" >}} +{{< site-region region="gov" >}} 2. Select the tab for your AWS account type, and then use the example below as a base template to set up your Terraform configuration file. Ensure to update the following parameters before you apply the changes: * `AWS_ACCOUNT_ID`: Your AWS account ID. @@ -631,6 +631,250 @@ See the [Terraform Registry][2] for further example usage and the full list of o [2]: https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws {{< /site-region >}} +{{< site-region region="gov2" >}} +2. Select the tab for your AWS account type, and then use the example below as a base template to set up your Terraform configuration file. Ensure to update the following parameters before you apply the changes: + * `AWS_ACCOUNT_ID`: Your AWS account ID. + +{{< tabs >}} + +{{% tab "AWS Commercial Cloud" %}} + +```hcl +data "aws_iam_policy_document" "datadog_aws_integration_assume_role" { + statement { + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::382742775718:root"] + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [ + "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}" + ] + } + } +} + +data "datadog_integration_aws_iam_permissions" "datadog_permissions" {} + +locals { + all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions + + max_policy_size = 6144 + target_chunk_size = 5900 + + permission_sizes = [ + for perm in local.all_permissions : + length(perm) + 3 + ] + cumulative_sizes = [ + for i in range(length(local.permission_sizes)) : + sum(slice(local.permission_sizes, 0, i + 1)) + ] + + chunk_assignments = [ + for cumulative_size in local.cumulative_sizes : + floor(cumulative_size / local.target_chunk_size) + ] + chunk_numbers = distinct(local.chunk_assignments) + permission_chunks = [ + for chunk_num in local.chunk_numbers : [ + for i, perm in local.all_permissions : + perm if local.chunk_assignments[i] == chunk_num + ] + ] +} + +data "aws_iam_policy_document" "datadog_aws_integration" { + count = length(local.permission_chunks) + + statement { + actions = local.permission_chunks[count.index] + resources = ["*"] + } +} + +resource "aws_iam_policy" "datadog_aws_integration" { + count = length(local.permission_chunks) + + name = "DatadogAWSIntegrationPolicy-${count.index + 1}" + policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json +} +resource "aws_iam_role" "datadog_aws_integration" { + name = "DatadogIntegrationRole" + description = "Role for Datadog AWS Integration" + assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json +} +resource "aws_iam_role_policy_attachment" "datadog_aws_integration" { + count = length(local.permission_chunks) + + role = aws_iam_role.datadog_aws_integration.name + policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn +} +resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" { + role = aws_iam_role.datadog_aws_integration.name + policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" +} + +resource "datadog_integration_aws_account" "datadog_integration" { + account_tags = [] + aws_account_id = "" + aws_partition = "aws" + aws_regions { + include_all = true + } + auth_config { + aws_auth_config_role { + role_name = "DatadogIntegrationRole" + } + } + resources_config { + cloud_security_posture_management_collection = false + extended_collection = true + } + traces_config { + xray_services { + } + } + logs_config { + lambda_forwarder { + } + } + metrics_config { + namespace_filters { + } + } +} +``` + +{{% /tab %}} + +{{% tab "AWS GovCloud" %}} + +```hcl +data "aws_iam_policy_document" "datadog_aws_integration_assume_role" { + statement { + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = ["arn:aws-us-gov:iam::486737091498:root"] + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [ + "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}" + ] + } + } +} + +data "datadog_integration_aws_iam_permissions" "datadog_permissions" {} + +locals { + all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions + + max_policy_size = 6144 + target_chunk_size = 5900 + + permission_sizes = [ + for perm in local.all_permissions : + length(perm) + 3 + ] + cumulative_sizes = [ + for i in range(length(local.permission_sizes)) : + sum(slice(local.permission_sizes, 0, i + 1)) + ] + + chunk_assignments = [ + for cumulative_size in local.cumulative_sizes : + floor(cumulative_size / local.target_chunk_size) + ] + chunk_numbers = distinct(local.chunk_assignments) + permission_chunks = [ + for chunk_num in local.chunk_numbers : [ + for i, perm in local.all_permissions : + perm if local.chunk_assignments[i] == chunk_num + ] + ] +} + +data "aws_iam_policy_document" "datadog_aws_integration" { + count = length(local.permission_chunks) + + statement { + actions = local.permission_chunks[count.index] + resources = ["*"] + } +} + +resource "aws_iam_policy" "datadog_aws_integration" { + count = length(local.permission_chunks) + + name = "DatadogAWSIntegrationPolicy-${count.index + 1}" + policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json +} +resource "aws_iam_role" "datadog_aws_integration" { + name = "DatadogIntegrationRole" + description = "Role for Datadog AWS Integration" + assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json +} +resource "aws_iam_role_policy_attachment" "datadog_aws_integration" { + count = length(local.permission_chunks) + + role = aws_iam_role.datadog_aws_integration.name + policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn +} +resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" { + role = aws_iam_role.datadog_aws_integration.name + policy_arn = "arn:aws-us-gov:iam::aws:policy/SecurityAudit" +} + +resource "datadog_integration_aws_account" "datadog_integration" { + account_tags = [] + aws_account_id = "" + aws_partition = "aws-us-gov" + aws_regions { + include_all = true + } + auth_config { + aws_auth_config_role { + role_name = "DatadogIntegrationRole" + } + } + resources_config { + cloud_security_posture_management_collection = false + extended_collection = true + } + traces_config { + xray_services { + } + } + logs_config { + lambda_forwarder { + } + } + metrics_config { + namespace_filters { + } + } +} +``` + +{{% /tab %}} + +{{< /tabs >}} + +See the [Terraform Registry][2] for further example usage and the full list of optional parameters, as well as additional Datadog resources. + +
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config, set cloud_security_posture_management_collection = true.
+ +[1]: /integrations/amazon_web_services/?tab=manual#aws-iam-permissions +[2]: https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws +{{< /site-region >}} + 3. Run `terraform apply`. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box [AWS overview dashboard][4] to see metrics sent by your AWS services and infrastructure. {{< partial name="whats-next/whats-next.html" >}} diff --git a/content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md b/content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md index 1f29a7024b2..b6e0254f8f0 100644 --- a/content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md +++ b/content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md @@ -13,7 +13,7 @@ This error usually indicates an issue with the trust policy associated with the Check the following points for the AWS account mentioned in the error: -{{< site-region region="us,us3,us5,eu,gov,gov2" >}} +{{< site-region region="us,us3,us5,eu" >}} 1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. 2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured as below: @@ -44,6 +44,68 @@ Check the following points for the AWS account mentioned in the error: [3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml {{< /site-region >}} +{{< site-region region="gov" >}} +1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. + +2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured with the correct Datadog account ID for your AWS partition. Use `392588925713` for commercial AWS accounts or `065115117704` for GovCloud accounts: + +{{< code-block lang="json" filename="" disable_copy="true" collapsible="false" >}} + +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::392588925713:root" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] +} + +{{< /code-block >}} + +[2]: https://app.ddog-gov.com/integrations/amazon-web-services +[3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml +{{< /site-region >}} + +{{< site-region region="gov2" >}} +1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. + +2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured with the correct Datadog account ID for your AWS partition. Use `382742775718` for commercial AWS accounts or `486737091498` for GovCloud accounts: + +{{< code-block lang="json" filename="" disable_copy="true" collapsible="false" >}} + +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::382742775718:root" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + ] +} + +{{< /code-block >}} + +[2]: https://us2.ddog-gov.com/integrations/amazon-web-services +[3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml +{{< /site-region >}} + {{< site-region region="ap1" >}} 1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. From c78ad88ed0ec22bf3b001a9884b1d8c3e28de98d Mon Sep 17 00:00:00 2001 From: Heston Hoffman Date: Thu, 14 May 2026 08:23:37 -0700 Subject: [PATCH 2/2] Use params --- assets/scripts/config/regions.config.js | 20 ++++ .../en/integrations/guide/aws-manual-setup.md | 17 +-- ...-datadog-not-authorized-sts-assume-role.md | 103 +----------------- 3 files changed, 29 insertions(+), 111 deletions(-) diff --git a/assets/scripts/config/regions.config.js b/assets/scripts/config/regions.config.js index 3e05811e1fd..9d0c8fbe74d 100644 --- a/assets/scripts/config/regions.config.js +++ b/assets/scripts/config/regions.config.js @@ -388,6 +388,26 @@ export default { gov2: 'The private link service for US2-FED is not supported.', gov: 'The private link service for GOV is not supported.' }, + aws_customer_access_id: { + us: '464622532012', + us3: '464622532012', + us5: '464622532012', + eu: '464622532012', + ap1: '417141415827', + ap2: '412381753143', + gov2: '382742775718', + gov: '392588925713' + }, + aws_customer_access_govcloud_id: { + us: 'N/A', + us3: 'N/A', + us5: 'N/A', + eu: 'N/A', + ap1: 'N/A', + ap2: 'N/A', + gov2: '486737091498', + gov: '065115117704' + }, ip_ranges_url: { us: 'https://ip-ranges.datadoghq.com', us3: 'https://ip-ranges.us3.datadoghq.com', diff --git a/content/en/integrations/guide/aws-manual-setup.md b/content/en/integrations/guide/aws-manual-setup.md index a29f9a3c392..3b5de585a90 100644 --- a/content/en/integrations/guide/aws-manual-setup.md +++ b/content/en/integrations/guide/aws-manual-setup.md @@ -86,20 +86,11 @@ Datadog assumes this role to collect data on your behalf. 1. Go to the AWS [IAM Console][4] and click `Create role`. 2. Select **AWS account** for the trusted entity type, and **Another AWS account**. -{{< site-region region="us,us3,us5,eu" >}} -3. Enter `464622532012` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. -{{< /site-region >}} -{{< site-region region="ap1" >}} -3. Enter `417141415827` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. -{{< /site-region >}} -{{< site-region region="ap2" >}} -3. Enter `412381753143` as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. -{{< /site-region >}} -{{< site-region region="gov" >}} -3. If the AWS account you want to integrate is a GovCloud account, enter `065115117704` as the `Account ID`, otherwise enter `392588925713`. This is Datadog's account ID, and grants Datadog access to your AWS data. +{{< site-region region="us,us3,us5,eu,ap1,ap2" >}} +3. Enter {{< region-param key="aws_customer_access_id" code="true" >}} as the `Account ID`. This is Datadog's account ID, and grants Datadog access to your AWS data. {{< /site-region >}} -{{< site-region region="gov2" >}} -3. If the AWS account you want to integrate is a GovCloud account, enter `486737091498` as the `Account ID`, otherwise enter `382742775718`. This is Datadog's account ID, and grants Datadog access to your AWS data. +{{< site-region region="gov,gov2" >}} +3. If the AWS account you want to integrate is a GovCloud account, enter {{< region-param key="aws_customer_access_govcloud_id" code="true" >}} as the `Account ID`, otherwise enter {{< region-param key="aws_customer_access_id" code="true" >}}. This is Datadog's account ID, and grants Datadog access to your AWS data. {{< /site-region >}} **Note**: Ensure that the **DATADOG SITE** selector on the right of this documentation page is set to your Datadog site before copying the account ID above. diff --git a/content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md b/content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md index b6e0254f8f0..e8356ba3d29 100644 --- a/content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md +++ b/content/en/integrations/guide/error-datadog-not-authorized-sts-assume-role.md @@ -13,7 +13,7 @@ This error usually indicates an issue with the trust policy associated with the Check the following points for the AWS account mentioned in the error: -{{< site-region region="us,us3,us5,eu" >}} +{{< site-region region="us,us3,us5,eu,ap1,ap2" >}} 1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. 2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured as below: @@ -26,7 +26,7 @@ Check the following points for the AWS account mentioned in the error: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::464622532012:root" + "AWS": "arn:aws:iam::{{< region-param key="aws_customer_access_id" >}}:root" }, "Action": "sts:AssumeRole", "Condition": { @@ -44,10 +44,10 @@ Check the following points for the AWS account mentioned in the error: [3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml {{< /site-region >}} -{{< site-region region="gov" >}} +{{< site-region region="gov,gov2" >}} 1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. -2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured with the correct Datadog account ID for your AWS partition. Use `392588925713` for commercial AWS accounts or `065115117704` for GovCloud accounts: +2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured with the correct Datadog account ID for your AWS partition. Use {{< region-param key="aws_customer_access_id" code="true" >}} for commercial AWS accounts or {{< region-param key="aws_customer_access_govcloud_id" code="true" >}} for GovCloud accounts: {{< code-block lang="json" filename="" disable_copy="true" collapsible="false" >}} @@ -57,7 +57,7 @@ Check the following points for the AWS account mentioned in the error: { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::392588925713:root" + "AWS": "arn:aws:iam::{{< region-param key="aws_customer_access_id" >}}:root" }, "Action": "sts:AssumeRole", "Condition": { @@ -75,99 +75,6 @@ Check the following points for the AWS account mentioned in the error: [3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml {{< /site-region >}} -{{< site-region region="gov2" >}} -1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. - -2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured with the correct Datadog account ID for your AWS partition. Use `382742775718` for commercial AWS accounts or `486737091498` for GovCloud accounts: - -{{< code-block lang="json" filename="" disable_copy="true" collapsible="false" >}} - -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::382742775718:root" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ] -} - -{{< /code-block >}} - -[2]: https://us2.ddog-gov.com/integrations/amazon-web-services -[3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml -{{< /site-region >}} - -{{< site-region region="ap1" >}} -1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. - -2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured as below: - -{{< code-block lang="json" filename="" disable_copy="true" collapsible="false" >}} - -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::417141415827:root" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ] -} - -{{< /code-block >}} - -[2]: https://ap1.datadoghq.com/integrations/amazon-web-services -[3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml -{{< /site-region >}} - -{{< site-region region="ap2" >}} -1. If you created an IAM role, ensure that you are using the correct IAM role name in the [Datadog AWS integration page][2]. Extra spaces or characters in AWS or Datadog causes the role delegation to fail. If you deployed the role using CloudFormation, the default IAM role name is set to [DatadogIntegrationRole][3]. - -2. On the Datadog integration role's page in AWS, under the **Trust relationships** tab, ensure that the **Principal** is configured as below: - -{{< code-block lang="json" filename="" disable_copy="true" collapsible="false" >}} - -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::412381753143:root" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ] -} - -{{< /code-block >}} - -[2]: https://ap2.datadoghq.com/integrations/amazon-web-services -[3]: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml -{{< /site-region >}} - 3. The AWS External ID on the role page needs to match the AWS External ID value on the **Account Details** tab of the [AWS integration page][2]. Update the IAM role in AWS with the AWS External ID value from the integration page in Datadog, or generate a new AWS External ID in Datadog and click **Save**: {{< img src="integrations/guide/aws_error_sts_assume_role/new-aws-external-id.png" alt="Datadog AWS integration page with the AWS Role Name and AWS External ID fields and Generate New ID button" >}}