diff --git a/README.md b/README.md index 4e3ff48..43026fe 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,7 @@ These scripts and tools live in this repo, some scripts/tools have their own REA | [webhooks](./webhooks/) | N/A | A collection of [Webhooks](https://docs.datadoghq.com/integrations/webhooks/) examples which use the [Datadog API](https://docs.datadoghq.com/api/latest/) to perform different actions | | [Metrics Without Limits Optimiser](./mwl_optimiser/) | Python | Run through your custom metrics to apply a MWL allowlist of tags and aggregations to a metric based on whether the tags/aggregations have been actively queried on by dashboards, notebooks, monitors, and through the API in the past 30 day and only if the resulting volume of this new config is less than not using MWL. | | [Postgres Database Monitoring Setup Script](./dbm_setup/) | Python | A script to prepare Postgres databases for use with [Database Monitoring](https://docs.datadoghq.com/database_monitoring/setup_postgres/selfhosted/?tab=postgres15). Discovers all databases on a databse host, creates datadog user, schema, and explain statments, then confirms the database was prepared properly. | +| [Vault Secret Executable](./secret_executable) | Python | An example secrete executable script to serve secrets to the Datadog agent fetched from HashiCorp Vault | ## Additional tools These are some additional tools and scripts written by Datadog. diff --git a/secret_executable/README.md b/secret_executable/README.md new file mode 100644 index 0000000..92cb3f4 --- /dev/null +++ b/secret_executable/README.md @@ -0,0 +1,46 @@ +# vault_executable +A python script to serve secrets fetched from HashiCorp Vault to a Datadog agent + +### Introduction + +Customers can fetch secrets from providers like HashiCorp Vault and serve those secrets to the Datadog agent via executable file. Customers often ask us for support with creating the executable, we do have basic examples of a python executable in our documentation but wanted to take it a step further and provide a simple but working example of a executable that fetches secrets from HashiCorp Vault and serves them to the Datadog agent. + +### Setup + +You will need a HashiCorp Vault secret cluster is necessary to store secrets in the vault. + + + +You can add secrets to the vault using the steps below + +![Screen Recording 2023-09-06 at 05 22 35 PM 2](https://github.com/UTXOnly/vault_executable/assets/49233513/45ff1997-ff03-4570-9b53-4fabfd6e8a9c) + + + + + + +Fetching Secrets from the Vault + +When you create a HashiCorp Vault cluster with the default settings, you should be greeted with instructions like this on the overview page allowing you to fetch + +![Image 2023-09-06 at 5 10 33 PM](https://github.com/UTXOnly/vault_executable/assets/49233513/ad6f6e17-14b3-4b18-8383-2167f1827857) + + + +### Results Returned from Vault + +The results are returned in `:` pairs like below. You can test massing secret keys as defined in your agent configuration to see what your executable returns (as the agent sees it). +``` +❯ bash -c "echo '{\"version\": \"1.0\", \"secrets\": [\"host\", \"test-snmp\"]}' | python3 /Users/brian.hartford/Documents/secrets/hashi_vault_api.py" +api-key: +first-secret: Vault Is The Way +host: localhost +test-key: test +test-snmp: test-snmp-password +{"host": {"value": "localhost", "error": null}, "test-snmp": {"value": "test-snmp-password", "error": null}} +``` + +### How it Works + +![Alt text]() diff --git a/secret_executable/vault executable.png b/secret_executable/vault executable.png new file mode 100644 index 0000000..287f9a8 Binary files /dev/null and b/secret_executable/vault executable.png differ diff --git a/secret_executable/vault_executable.py b/secret_executable/vault_executable.py new file mode 100644 index 0000000..16d11c6 --- /dev/null +++ b/secret_executable/vault_executable.py @@ -0,0 +1,73 @@ +#!opt/datadog-agent/embedded/bin/python3 +import json +import sys +import requests + +secret_id = "" +role_id = "" +VAULT_ADDR= "https://