Access and Authentication
Workflow Automation is not supported for your selected
Datadog site (
).
A few tools control access and authentication for workflows and their components.
Workflow identity
A workflow can run using the identity of the owner of the workflow, or a service account associated with the workflow. By default, a workflow uses the Datadog user identity of its author.
Use a service account
A service account can be associated with a workflow and act as the identity of the workflow when it runs. A service account can:
- resolve the connections defined in the workflow actions at runtime
- provide an identity for workflow executions
- provide an identity for workflow audit trails
To create a service account for a workflow, you must have either the Datadog admin role, or a custom role with the Service Account Write permission. The service account you create adopts your role and permissions. For more information on service accounts and permissions, see Service accounts or Role based access control.
Associate a service account with a workflow
You can dynamically create a service account for your workflow when you add an automatic trigger.
- Click the cog (Settings) icon.
- Click Create a service account.
- Select a role for your service account user.
- Click Create to save the service account.
- Save your workflow to apply the changes.
When you run a workflow, the service account user resolves the connections defined in the workflow actions. Therefore, the service account user needs the connections_resolve
permission. The Datadog Admin Role and the Datadog Standard Role include the connections_resolve
permission.
View service account details
- Click the cog (Settings) icon.
- Select your service account from the dropdown menu.
Remove a service account associated with workflow
- Click the cog (Settings) icon.
- Select your service account from the dropdown menu.
- Click Remove service account.
Action credentials
Because workflow actions connect with external software systems, you may need to authenticate your Datadog account to the corresponding integration. A workflow can run successfully only if every workflow action that requires authentication can verify the identity of your Datadog account.
Workflow actions can be authenticated in two ways:
- Credentials and permissions configured in the integration tile
- Connection credentials
For more information on configuring credentials, see Connections.
Workflow permissions
Use role-based access control (RBAC) to control access to your workflows and connections. To see the list of permissions that apply to workflows and connections, see Datadog Role Permissions.
By default, the author of a workflow or connection is the only user who receives Editor access. The rest of the Datadog organization receives Viewer access to the workflow or connection.
Restrict access on a specific connection
Set permissions on each connection to limit modifications or restrict their use. The granular permissions include Viewer, Resolver, and Editor. By default, only the author of the connection receives Editor access. The author can choose to grant access to additional users, roles, or teams.
- Viewer
- Can view the connection
- Resolver
- Can resolve and view the connection
- Editor
- Can edit, resolve, and view the connection
Resolving a connection includes getting the connection object assigned to a step and retrieving the secret associated with it.
Follow the steps below to modify the permissions on a specific connection:
- Navigate to the Workflow Automation page.
- Click Connections in the upper right. A list of connections appears.
- Hover over the connection on which you would like to set granular permissions. Edit, Permissions, and Delete icons appear on the right.
- Click the padlock (Permissions) icon.
- Select Restrict Access.
- Select a role from the dropdown menu. Click Add. The role you selected populates into the bottom of the dialog box.
- Next to the role name, select your desired permission from the dropdown menu.
- If you would like to remove access from a role, click the trash can icon to the right of the role name.
- Click Save.
Restrict access on a specific workflow
Set permissions on each workflow to restrict modifications or usage of the workflow. The granular permissions include Viewer, Runner, and Editor. By default, only the author of the workflow receives Editor access. The author can choose to grant access to additional users, roles, or teams.
- Viewer
- Can view the workflow
- Runner
- Can run and view the workflow
- Editor
- Can edit, run, and view the workflow
You can restrict access on a specific workflow either from the workflow list page or from the workflow canvas while editing the workflow.
Restricting permissions from the workflow list page
- Navigate to the Workflow Automation page.
- Hover over the workflow on which you would like to set granular permissions. Edit, Permissions, and Delete icons appear on the right.
- Click the padlock (Permissions) icon.
- Select Restrict Access.
- Select a role from the dropdown menu. Click Add. The role you selected populates into the bottom of the dialog box.
- Next to the role name, select your desired permission from the dropdown menu.
- If you would like to remove access from a role, click the trash can icon to the right of the role name.
- Click Save.
Restricting permissions from the workflow editor
- In the workflow editor click on the cog (Settings) icon.
- Select Edit Permissions from the dropdown.
- Select Restrict Access.
- Select a role from the dropdown menu. Click Add. The role you selected populates into the bottom of the dialog box.
- Next to the role name, select your desired permission from the dropdown menu.
- If you would like to remove access from a role, click the trash can icon to the right of the role name.
- Click Save.
Further Reading
Additional helpful documentation, links, and articles:
Do you have questions or feedback? Join the #workflows channel on the Datadog Community Slack.