Add support for API Key in SSM (#95)

demolitionmode · web-flow · commit 947e4b2f748f · 2020-10-30T14:52:48.000-04:00
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ If `DD_FLUSH_TO_LOG` is set to `false` (not recommended), the Datadog API Key mu
 - DD_API_KEY - the Datadog API Key in plain-text, NOT recommended
 - DD_KMS_API_KEY - the KMS-encrypted API Key, requires the `kms:Decrypt` permission
 - DD_API_KEY_SECRET_ARN - the Secret ARN to fetch API Key from the Secrets Manager, requires the `secretsmanager:GetSecretValue` permission (and `kms:Decrypt` if using a customer managed CMK)
+- DD_API_KEY_SSM_NAME - the Parameter Name to fetch API Key from the Systems Manager Parameter Store, requires the `ssm:GetParameter` permission (and `kms:Decrypt` if using a SecureString with a customer managed CMK)
 
 You can also supply or override the API key at runtime (not recommended):
 
diff --git a/datadog_lambda/metric.py b/datadog_lambda/metric.py
@@ -136,12 +136,18 @@ def submit_errors_metric(lambda_context):
 # Set API Key and Host in the module, so they only set once per container
 if not api._api_key:
     DD_API_KEY_SECRET_ARN = os.environ.get("DD_API_KEY_SECRET_ARN", "")
+    DD_API_KEY_SSM_NAME = os.environ.get("DD_API_KEY_SSM_NAME", "")
     DD_KMS_API_KEY = os.environ.get("DD_KMS_API_KEY", "")
     DD_API_KEY = os.environ.get("DD_API_KEY", os.environ.get("DATADOG_API_KEY", ""))
     if DD_API_KEY_SECRET_ARN:
         api._api_key = boto3.client("secretsmanager").get_secret_value(
             SecretId=DD_API_KEY_SECRET_ARN
         )["SecretString"]
+    elif DD_API_KEY_SSM_NAME:
+        api._api_key = boto3.client("ssm").get_parameter(
+            Name=DD_API_KEY_SSM_NAME,
+            WithDecryption=True
+        )["Parameter"]["Value"]
     elif DD_KMS_API_KEY:
         api._api_key = boto3.client("kms").decrypt(
             CiphertextBlob=base64.b64decode(DD_KMS_API_KEY)
