# Datadog Application Key
<a name="mes-partner-DatadogApplicationKey"></a>

## Secret Value Fields
<a name="w2aac25c11c27b3"></a>

The following are the fields that must be contained in the Secrets Manager secret:

```
{
  "appKey": "{{Application key starting with ddapp_}}",
  "appKeyId": "{{Application key UUID}}",
  "serviceAccountId": "{{Service Account UUID}}"
}
```

appKey  
The Datadog Application key owned by a service account. Starts with `ddapp_` followed by 34 alphanumeric characters.

appKeyId  
The unique identifier (UUID) for the Application key.

serviceAccountId  
The Datadog Service Account ID (UUID) that owns this Application key. Only service account-owned Application keys can be rotated.

## Secret Metadata Fields
<a name="w2aac25c11c27b5"></a>

The following are the metadata fields for Datadog Application Key:

```
{
  "adminSecretArn": "arn:aws:secretsmanager:us-east-1:111122223333:secret:{{DatadogAdminKey}}"
}
```

adminSecretArn  
The Amazon Resource Name (ARN) for a secret of type DatadogAdminKey that contains the administrative Datadog credentials (API key and Application key) used to rotate this secret. The admin secret must belong to the same service account as this Application key.

## Usage Flow
<a name="w2aac25c11c27b7"></a>

This rotation uses a two-secret architecture. An admin secret of type DatadogAdminKey provides authentication credentials. The admin secret's `serviceAccountId` must match the user secret's `serviceAccountId` to prevent privilege escalation.

You can create your secret using the [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html) call with the secret value containing the fields mentioned above and secret type as DatadogApplicationKey. The rotation configurations can be set using a [RotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html) call. You must provide the `adminSecretArn` in the rotation metadata. You must also provide a role ARN in the [RotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html) call which grants the service the required permissions to rotate the secret. For an example of a permissions policy see [Security and Permissions](mes-security.md).

During rotation, the driver validates ownership of the current key, creates a new Application key via the Datadog Service Account API, verifies the new key, promotes it to AWSCURRENT, and deletes the old key.