feat: Support periodic reload for api key secret#893
Merged
Conversation
Contributor
|
left a comment |
litianningdatadog
approved these changes
Oct 15, 2025
lym953
changed the title
duncanpharvey
pushed a commit
that referenced
this pull request
Mar 10, 2026
# This PR Supports the env var `DD_API_KEY_SECRET_RELOAD_INTERVAL`, in seconds. It applies when Datadog API Key is set using `DD_API_KEY_SECRET_ARN`. For example: - if it's `120`, then api key will be reloaded about every 120 seconds. Note that reload can only be triggered when api key is used, usually when data is being flushed. If there is no invocation and no data needs to be flushed, then reload won't happen. - If it's not set or set to `0`, then api key will only be loaded once the first time it is used, and won't be reloaded. # Motivation Some customers regularly rotate their api key in a secret. We need to provide a way for them to update our cached key. #834 # Testing ## Steps 1. Set the env var `DD_API_KEY_SECRET_RELOAD_INTERVAL` to `120` 2. Invoke the Lambda every minute ## Result The reload interval is passed to the `ApiKeyFactory` <img width="711" height="25" alt="image" src="https://github.com/user-attachments/assets/6fcc5081-accb-4928-8fa7-094d36aa2fa1" /> Reload happens roughly every 120 seconds. It's sometimes longer than 120 seconds due to the reason explained above. <img width="554" height="252" alt="image" src="https://github.com/user-attachments/assets/3fa78249-ff98-47d2-a953-f090630bbeb1" /> # Notes to Users When you use this env var, please also keep a grace period for the old api key after you update the secret to the new key, and make the grace period longer than the reload interval to give the extension sufficient time to reload the secret. # Internal Notes Jira: https://datadoghq.atlassian.net/browse/SVLS-7572
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR
Supports the env var
DD_API_KEY_SECRET_RELOAD_INTERVAL, in seconds. It applies when Datadog API Key is set usingDD_API_KEY_SECRET_ARN. For example:120, then api key will be reloaded about every 120 seconds. Note that reload can only be triggered when api key is used, usually when data is being flushed. If there is no invocation and no data needs to be flushed, then reload won't happen.0, then api key will only be loaded once the first time it is used, and won't be reloaded.Motivation
Some customers regularly rotate their api key in a secret. We need to provide a way for them to update our cached key.
#834
Testing
Steps
Set the env var
DD_API_KEY_SECRET_RELOAD_INTERVALto120Invoke the Lambda every minute
Result
The reload interval is passed to the
ApiKeyFactoryReload happens roughly every 120 seconds. It's sometimes longer than 120 seconds due to the reason explained above.
Notes to Users
When you use this env var, please also keep a grace period for the old api key after you update the secret to the new key, and make the grace period longer than the reload interval to give the extension sufficient time to reload the secret.
Internal Notes
Jira: https://datadoghq.atlassian.net/browse/SVLS-7572