Skip to content

Commit b859343

Browse files
anthony-dgxclaude
andauthored
Clarify assumed-role ARN requirement in WIF identity and intake mapping setup (#37614)
* Clarify assumed-role ARN requirement in WIF identity and intake mapping setup Adds warning callouts to both the identity mapping and intake mapping UI sections explaining that Datadog requires the assumed-role ARN (STS format) rather than the IAM role ARN shown in the AWS Console. Updates the Source Pattern example to show the full arn:aws:sts:: format. Adds guidance on using aws sts get-caller-identity to find the correct ARN value. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Update workload_identity_federation.md * Scope WIF warning callout to opening sentence, add aws sts tip for parity Move the ARN format list and aws sts get-caller-identity tip outside the alert div so only the opening sentence carries the warning style. Add the tip to the identity mappings warning to match the intake mappings warning. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 273b14e commit b859343

1 file changed

Lines changed: 16 additions & 2 deletions

File tree

content/en/account_management/workload_identity_federation.md

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,11 +80,18 @@ Navigate to [**Organization Settings** > **Workload Identity Federation**][6] an
8080

8181
{{< img src="account_management/workload_identity_federation/identity-mappings-list.png" alt="Identity Mappings tab in the Workload Identity Federation page, showing the Org UUID field and a list of AWS ARN patterns mapped to Datadog users and service accounts" style="width:100%;" >}}
8282

83+
<div class="alert alert-warning">Datadog requires the <strong>assumed-role ARN</strong> in the Source Pattern field, not the IAM role ARN. These two formats are different:</div>
84+
<ul>
85+
<li><strong>IAM role ARN</strong> (shown in the AWS Console): <code>arn:aws:iam::123456789012:role/my-role</code></li>
86+
<li><strong>Assumed-role ARN</strong> (required by Datadog): <code>arn:aws:sts::123456789012:assumed-role/my-role/session-name</code></li>
87+
</ul>
88+
To find the assumed-role ARN for your workload, run <code>aws sts get-caller-identity</code> from your workload environment and use the value in the <code>Arn</code> field of the response.
89+
8390
To create an identity mapping:
8491

8592
1. Click {{< ui >}}+ New Mapping{{< /ui >}}.
8693
2. Select a **Cloud Provider**.
87-
3. Enter a **Source Pattern (ARN)**. Use `*` for wildcard patterns (for example, `role/terraform-*`).
94+
3. Enter a **Source Pattern (ARN)**. Use the assumed-role ARN format and `*` for wildcard patterns (for example, `arn:aws:sts::123456789012:assumed-role/terraform-runner/*`).
8895
4. Search for and select a **Target Identity**. This is the Datadog user or service account this cloud identity authenticates as.
8996
5. Click {{< ui >}}Create Mapping{{< /ui >}}.
9097

@@ -277,11 +284,18 @@ Navigate to [**Organization Settings** > **Workload Identity Federation**][6] an
277284

278285
{{< img src="account_management/workload_identity_federation/intake-mappings-list.png" alt="Intake Mappings tab in the Workload Identity Federation page, showing the Org UUID field and a list of AWS ARN patterns authorized for Agent authentication" style="width:100%;" >}}
279286

287+
<div class="alert alert-warning">Datadog requires the <strong>assumed-role ARN</strong> in the Source Pattern field, not the IAM role ARN. These two formats are different:</div>
288+
<ul>
289+
<li><strong>IAM role ARN</strong> (shown in the AWS Console): <code>arn:aws:iam::123456789012:role/my-role</code></li>
290+
<li><strong>Assumed-role ARN</strong> (required by Datadog): <code>arn:aws:sts::123456789012:assumed-role/my-role/session-name</code></li>
291+
</ul>
292+
To find the assumed-role ARN for your workload, run <code>aws sts get-caller-identity</code> from your workload environment and use the value in the <code>Arn</code> field of the response.
293+
280294
To create an intake mapping:
281295

282296
1. Click {{< ui >}}+ New Mapping{{< /ui >}}.
283297
2. Select a **Cloud Provider**.
284-
3. Enter a **Source Pattern (ARN)**. Use `*` for wildcard patterns (for example, `role/terraform-*`).
298+
3. Enter a **Source Pattern (ARN)**. Use the assumed-role ARN format and `*` for wildcard patterns (for example, `arn:aws:sts::123456789012:assumed-role/DatadogAgentRole/*`).
285299
4. Click {{< ui >}}Create Mapping{{< /ui >}}.
286300

287301
{{< img src="account_management/workload_identity_federation/intake-mapping-create.png" alt="Create Intake Mapping dialog with fields for Cloud Provider and Source Pattern ARN, with helper text describing wildcard pattern support" style="width:70%;" >}}

0 commit comments

Comments
 (0)