Skip to content

feat: Support periodic reload for api key secret #893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 15, 2025
Merged

feat: Support periodic reload for api key secret #893

merged 8 commits into from
Oct 15, 2025

Conversation

lym953
Copy link
Contributor

@lym953 lym953 commented Oct 14, 2025
edited
Loading

This PR

Supports the env var DD_API_KEY_SECRET_RELOAD_INTERVAL, in seconds. It applies when Datadog API Key is set using DD_API_KEY_SECRET_ARN. For example:

  • if it's 120, then api key will be reloaded about every 120 seconds. Note that reload can only be triggered when api key is used, usually when data is being flushed. If there is no invocation and no data needs to be flushed, then reload won't happen.
  • If it's not set or set to 0, then api key will only be loaded once the first time it is used, and won't be reloaded.

Motivation

Some customers regularly rotate their api key in a secret. We need to provide a way for them to update our cached key.
#834

Testing

Steps

  1. Set the env var DD_API_KEY_SECRET_RELOAD_INTERVAL to 120

  2. Invoke the Lambda every minute

Result

The reload interval is passed to the ApiKeyFactory
image

Reload happens roughly every 120 seconds. It's sometimes longer than 120 seconds due to the reason explained above.
image

Notes to Users

When you use this env var, please also keep a grace period for the old api key after you update the secret to the new key, and make the grace period longer than the reload interval to give the extension sufficient time to reload the secret.

Internal Notes

Jira: https://datadoghq.atlassian.net/browse/SVLS-7572

@lym953 lym953 marked this pull request as ready for review October 14, 2025 15:59
@lym953 lym953 requested a review from a team as a code owner October 14, 2025 15:59
@litianningdatadog
Copy link
Contributor

left a comment

litianningdatadog
litianningdatadog reviewed Oct 14, 2025
View reviewed changes
@lym953 lym953 changed the title feat: Support periodic reload for api key feat: Support periodic reload for api key secret Oct 15, 2025
@lym953 lym953 merged commit 57667af into main Oct 15, 2025
38 checks passed
@lym953 lym953 deleted the yiming.luo/api-key-reload branch October 15, 2025 19:01
@lym953 lym953 linked an issue Oct 17, 2025 that may be closed by this pull request
Cached Datadog api key doesn't play well with snapstart in V84+ #834
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@litianningdatadog litianningdatadog litianningdatadog approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cached Datadog api key doesn't play well with snapstart in V84+

2 participants

@lym953 @litianningdatadog