You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Clarify assumed-role ARN requirement in WIF identity and intake mapping setup (#37614)
* Clarify assumed-role ARN requirement in WIF identity and intake mapping setup
Adds warning callouts to both the identity mapping and intake mapping UI
sections explaining that Datadog requires the assumed-role ARN (STS format)
rather than the IAM role ARN shown in the AWS Console. Updates the Source
Pattern example to show the full arn:aws:sts:: format. Adds guidance on
using aws sts get-caller-identity to find the correct ARN value.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Update workload_identity_federation.md
* Scope WIF warning callout to opening sentence, add aws sts tip for parity
Move the ARN format list and aws sts get-caller-identity tip outside the
alert div so only the opening sentence carries the warning style. Add the
tip to the identity mappings warning to match the intake mappings warning.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: content/en/account_management/workload_identity_federation.md
+16-2Lines changed: 16 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -80,11 +80,18 @@ Navigate to [**Organization Settings** > **Workload Identity Federation**][6] an
80
80
81
81
{{< img src="account_management/workload_identity_federation/identity-mappings-list.png" alt="Identity Mappings tab in the Workload Identity Federation page, showing the Org UUID field and a list of AWS ARN patterns mapped to Datadog users and service accounts" style="width:100%;" >}}
82
82
83
+
<divclass="alert alert-warning">Datadog requires the <strong>assumed-role ARN</strong> in the Source Pattern field, not the IAM role ARN. These two formats are different:</div>
84
+
<ul>
85
+
<li><strong>IAM role ARN</strong> (shown in the AWS Console): <code>arn:aws:iam::123456789012:role/my-role</code></li>
86
+
<li><strong>Assumed-role ARN</strong> (required by Datadog): <code>arn:aws:sts::123456789012:assumed-role/my-role/session-name</code></li>
87
+
</ul>
88
+
To find the assumed-role ARN for your workload, run <code>aws sts get-caller-identity</code> from your workload environment and use the value in the <code>Arn</code> field of the response.
89
+
83
90
To create an identity mapping:
84
91
85
92
1. Click {{< ui >}}+ New Mapping{{< /ui >}}.
86
93
2. Select a **Cloud Provider**.
87
-
3. Enter a **Source Pattern (ARN)**. Use `*` for wildcard patterns (for example, `role/terraform-*`).
94
+
3. Enter a **Source Pattern (ARN)**. Use the assumed-role ARN format and `*` for wildcard patterns (for example, `arn:aws:sts::123456789012:assumed-role/terraform-runner/*`).
88
95
4. Search for and select a **Target Identity**. This is the Datadog user or service account this cloud identity authenticates as.
89
96
5. Click {{< ui >}}Create Mapping{{< /ui >}}.
90
97
@@ -277,11 +284,18 @@ Navigate to [**Organization Settings** > **Workload Identity Federation**][6] an
277
284
278
285
{{< img src="account_management/workload_identity_federation/intake-mappings-list.png" alt="Intake Mappings tab in the Workload Identity Federation page, showing the Org UUID field and a list of AWS ARN patterns authorized for Agent authentication" style="width:100%;" >}}
279
286
287
+
<divclass="alert alert-warning">Datadog requires the <strong>assumed-role ARN</strong> in the Source Pattern field, not the IAM role ARN. These two formats are different:</div>
288
+
<ul>
289
+
<li><strong>IAM role ARN</strong> (shown in the AWS Console): <code>arn:aws:iam::123456789012:role/my-role</code></li>
290
+
<li><strong>Assumed-role ARN</strong> (required by Datadog): <code>arn:aws:sts::123456789012:assumed-role/my-role/session-name</code></li>
291
+
</ul>
292
+
To find the assumed-role ARN for your workload, run <code>aws sts get-caller-identity</code> from your workload environment and use the value in the <code>Arn</code> field of the response.
293
+
280
294
To create an intake mapping:
281
295
282
296
1. Click {{< ui >}}+ New Mapping{{< /ui >}}.
283
297
2. Select a **Cloud Provider**.
284
-
3. Enter a **Source Pattern (ARN)**. Use `*` for wildcard patterns (for example, `role/terraform-*`).
298
+
3. Enter a **Source Pattern (ARN)**. Use the assumed-role ARN format and `*` for wildcard patterns (for example, `arn:aws:sts::123456789012:assumed-role/DatadogAgentRole/*`).
285
299
4. Click {{< ui >}}Create Mapping{{< /ui >}}.
286
300
287
301
{{< img src="account_management/workload_identity_federation/intake-mapping-create.png" alt="Create Intake Mapping dialog with fields for Cloud Provider and Source Pattern ARN, with helper text describing wildcard pattern support" style="width:70%;" >}}
0 commit comments