Skip to main content

About Datadog Integration

The Datadog Integration lets Sawmills use Datadog credentials for Datadog-backed features. When you save the Datadog configuration, Sawmills validates the credentials and checks predefined permissions before storing them.

Step-by-Step: Configure Datadog Integration

1. Access Integrations

Open the user menu at the top right and select Integrations.

2. Open Datadog Configuration

In the Integrations section, open Datadog configuration.

3. Enter Credentials

Provide:
  • Datadog API Key
  • Datadog Application Key
  • Datadog Site

Best Practice: Service Account + Custom Role

For production, use a dedicated Datadog service account (not a personal user key).

1. Create a service account in Datadog

Create a service account for Sawmills integration usage.

2. Assign roles

Assign:
  • Datadog Read Only Role (baseline read access)
  • A custom role for extra Sawmills checks, for example: Sawmills Integration Role

3. Add permissions to the custom role

Grant these Datadog permissions (typo-safe). Required to save:
  • logs_read_config
  • dashboards_read
  • monitors_read
  • slos_read
  • notebooks_read
Optional but checked in UI (non-blocking):
  • audit_logs_read
  • logs_live_tail
  • logs_read
  • datalogs_read_index_data
  • usage_notifications_read
  • usage_read
  • logs_read_archives
  • metrics_read
  • timeseries_query

4. Create keys for the service account

  • Create an API key in Datadog.
  • Create an application key for the same service account.
  • Use those keys in Sawmills Datadog integration.

5. Save and Validate

Click Save. Before persisting, Sawmills runs validation and shows:
  • Keys status: Working or Invalid
  • Required permissions status
  • Per-permission status for predefined checks
Save is blocked if keys are invalid or required permissions are missing.

Backend Validation Flow

Validation is enforced in the backend service:
  • POST /v1/notification-integrations/datadog/validate: validates keys and returns per-permission status.
  • POST /v1/notification-integrations: blocks save when keys are invalid or required permissions are missing.
  • PATCH /v1/notification-integrations/{id}: re-validates merged Datadog config before update is persisted.

Required Permission

  • logs_read_config
  • dashboards_read
  • monitors_read
  • slos_read
  • notebooks_read
notebooks_read is required, but notebook data access still follows Datadog sharing rules. The Application Key can only read notebooks visible to the key owner (user or service account). Private or team-restricted notebooks are not readable unless that identity has access.

Predefined Permissions Checked

  • audit_logs_read
  • logs_live_tail
  • logs_read
  • datalogs_read_index_data
  • usage_notifications_read
  • usage_read
  • logs_read_archives
  • metrics_read
  • timeseries_query