Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions content/en/actions/connections/aws_integration.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
---
title: Using AWS Integration in Actions
description: Use Datadog's built-in AWS Integration to run Workflows read Actions without additional configuration in AWS.
disable_toc: false
further_reading:
- link: "/actions/connections/"
tag: "Documentation"
text: "Find out more about connection credentials"
---

## Overview

Datadog Workflows and Actions can use your existing **Datadog AWS integration credentials** to perform read-only operations in your AWS environment.
This eliminates the need to manually configure a separate AWS Connection, simplifying onboarding and allowing immediate access to your AWS data.

When configured, Datadog uses the same AWS credentials that power integrations such as **Amazon EC2**, **RDS**, and **S3 monitoring** to securely execute supported read-only actions.

Check notice on line 16 in content/en/actions/connections/aws_integration.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.sentencelength

Suggestion: Try to keep your sentence length to 25 words or fewer.

<div class="alert alert-info">
This feature is limited to <strong>read-only AWS actions</strong> and AWS integrations configured with "Role Delegation" access type. It also requires that your Datadog AWS integration role has the appropriate permissions defined in AWS. All actions under the <a href="https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ViewOnlyAccess.html" target="_blank">ViewOnlyAccess permissions</a> should work, as long as the IAM role used by the AWS Integration has been granted the permissions needed, and that an Action exists for the operation.

Check notice on line 19 in content/en/actions/connections/aws_integration.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.sentencelength

Suggestion: Try to keep your sentence length to 25 words or fewer.
</div>

## Supported use cases

Examples include:

- Listing or describing AWS resources (for example: `ListECSClusters`, `DescribeInstances`, `GetBucketPolicy`)
- Reading configurations or metadata from AWS services (for example: `GetFunctionConfiguration`, `ListSecrets`)
- Inspecting resource tags, metrics, or logs

### Requirements

To successfully execute actions with this integration:

- The **AWS Integration IAM Role** configured for Role Delegation must have the permissions required for the operations desired (for example `ecs:ListClusters`).
- The selected action must be read-only. Write or mutating actions (such as `Put*`, `Delete*`, `Update*`) are not supported and fail when running.
- The user, user's team, or user's org **must** have been given explicit 'Executor' permission on the AWS Integration in Datadog (see next section for details).

---

## Configuration

### 1. Configure AWS Integration permissions

Make sure that:
- The AWS integration is **active** for your target **AWS Account** and no integration issues are detected by Datadog.
- The **IAM Role** associated with the integration has the permissions for the operations (for example `ecs:ListClusters`).
- The integration is configured with the **Executor** permission in the Datadog AWS Integration configuration page (see below).

To configure the **Executor** permission in Datadog AWS Integration:
- In Datadog, navigate to "Integrations" then open the "Amazon Web Services" configuration page.
- Select the AWS Account connected to Datadog that you want to run actions with. If you haven't already configured the AWS Integration, follow the [AWS Integration setup guide](https://docs.datadoghq.com/integrations/amazon_web_services/#setup).
- Click on "**Set Permissions**":

{{< img src="service_management/aws_integration_tile_set_permission.png" alt="An integration on the AWS Integration configuration where the Set permission button is usable" style="width:100%;" >}}

In the Permissions modal opened select a user, team or organization to be granted "**Executor**" permissions:

Check notice on line 56 in content/en/actions/connections/aws_integration.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.oxfordcomma

Suggestion: Use the Oxford comma in 'In the Permissions modal opened select a user, team or'.

{{< img src="service_management/aws_integration_tile_permission_modal.png" alt="A permission modal with Executor permission highlighted" style="width:100%;" >}}

<div class="alert alert-info">
If instead of a **Set Permissions** button, you have a **Request Edit Access** button, you need to request the AWS Configuration Edit permission from an Admin in your organization.

Check notice on line 61 in content/en/actions/connections/aws_integration.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.sentencelength

Suggestion: Try to keep your sentence length to 25 words or fewer.
</div>

### 2. Select the Integration in Action

When creating or editing an Action within **Workflows**, you can choose your existing AWS integration in the Connections field.

1. Open your Workflow in the Datadog UI.
2. Add an AWS Action (for example, **List ECS Clusters**).
3. In the **Connection** dropdown, select **Existing AWS Integration**.
4. Choose the AWS Account configured in your Datadog integration.

{{< img src="service_management/aws_integration_connection_dropdown.png" alt="A Workflow Step configuration with a AWS Account: 0123456789101 Connection option" style="width:100%;" >}}

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading