DataDog · joepeeples · Jun 23, 2026 · Jun 23, 2026
@@ -48,6 +48,7 @@ First, [install][1] Datadog Serverless Monitoring to begin collecting metrics, t
 - [Configure Auto-linking for DynamoDB PutItem](#configure-auto-linking-for-dynamodb-putitem)
 - [Visualize and model AWS services correctly](#visualize-and-model-aws-services-by-resource-name)
 - [Send logs to Observability Pipelines](#send-logs-to-observability-pipelines)
+- [Authenticate with Workload Identity Federation](#authenticate-with-workload-identity-federation)
 - [Reload API key secret periodically](#reload-api-key-secret-periodically)
 - [Troubleshoot](#troubleshoot)
 - [Further Reading](#further-reading)
@@ -791,6 +792,17 @@ The updated service modeling configuration is recommended.
 
 See [Send Datadog Lambda Extension Forwarder Logs to Observability Pipelines][58] for more information.
 
+## Authenticate with Workload Identity Federation
+
+Instead of providing a static Datadog API key, you can authenticate the Datadog Lambda extension with [Workload Identity Federation][59]. The extension uses your function's AWS execution role credentials to request a managed Datadog API key that Datadog automatically rotates, so you don't store or rotate a key yourself.
+
+To use Workload Identity Federation:
+
+1. In Datadog, configure an AWS intake mapping that authorizes your function's execution role ARN. For setup steps, see [Set up Workload Identity Federation for the Datadog Agent][59].
+2. Set the `DD_ORG_UUID` environment variable on your function to your Datadog organization UUID. To find it, call the [{{< region-param key="dd_api" >}}/api/v2/current_user][60] endpoint. When `DD_ORG_UUID` is set, the extension authenticates with Workload Identity Federation, which takes precedence over other API key environment variables.
+
+This is available for version 96+ of the Datadog Lambda Extension. Workload Identity Federation for the Agent is available for Enterprise plans only.
+
 ## Reload API key secret periodically
 
 If you specify the Datadog API key using `DD_API_KEY_SECRET_ARN`, you can also set `DD_API_KEY_SECRET_RELOAD_INTERVAL` to periodically reload the secret. For example, if you set `DD_API_KEY_SECRET_RELOAD_INTERVAL` to `43200`, then the secret is reloaded when the API key is needed to send data, and it has been more than 43200 seconds since the last load.
@@ -866,3 +878,5 @@ If you have trouble configuring your installations, set the environment variable
 [56]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.html
 [57]: /tracing/guide/aws_payload_tagging/?code-lang=python&tab=nodejs
 [58]: /observability_pipelines/sources/lambda_extension/
+[59]: /account_management/workload_identity_federation/#set-up-workload-identity-federation-for-the-datadog-agent
+[60]: https://app.datadoghq.com/api/v2/current_user
@@ -14,6 +14,7 @@ The Agent's [main configuration file][1] is `datadog.yaml`. For the serverless A
 | `DD_KMS_API_KEY`               | The environment variable with your Datadog API key, using KMS. **One** key environment variable is required. See [serverless CLI environment variables][7].                                                                        |
 | `DD_API_KEY_SECRET_ARN`        | The environment variable with your Datadog API key, using an AWS Secrets Manager secret. **One** key environment variable is required. See [serverless CLI environment variables][7].                                                                           |
 | `DD_API_KEY_SSM_ARN`           | The environment variable with your Datadog API key, using an AWS Systems Manager Parameter Store parameter. **One** key environment variable is required. See [serverless CLI environment variables][7]. |
+| `DD_ORG_UUID`                  | Your Datadog organization UUID. When set, the extension authenticates with [Workload Identity Federation][10] to receive a managed Datadog API key from your function's AWS execution role credentials, instead of using a static key. **One** key environment variable is required. Available for version 96+ of the Datadog Lambda Extension. |
 | `DD_API_KEY_SECRET_RELOAD_INTERVAL` | Only applicable when `DD_API_KEY_SECRET_ARN` or `DD_API_KEY_SSM_ARN` is set. The interval (in seconds) at which to periodically reload the API key from AWS Secrets Manager or AWS Systems Manager Parameter Store. The reload is triggered lazily when the API key is needed for a flush and the interval has elapsed. If unset or `0`, the secret is loaded once and never reloaded. Available for version 88+ of the Datadog Lambda Extension. **Best practice for key rotation:** when rotating your API key, keep the old key valid for a grace period after creating the new one, and set this interval to a value shorter than that grace period. This helps ensure the extension always reloads the new key before the old one expires. |
 | `DD_LOG_LEVEL`                 | Set the level for the [Datadog Agent log][8].                                                                                                                                                                      |
 | `DD_SERVERLESS_FLUSH_STRATEGY` | Datadog Agent flushing strategy. Values permitted are `end` or `periodically[,milliseconds]`. For example, `DD_SERVERLESS_FLUSH_STRATEGY=periodically,100` flushes every 100ms.                                                                                                                  |
@@ -117,3 +118,5 @@ Send custom metrics with [the StatsD protocol][5]:
 [8]: /agent/troubleshooting/debug_mode/?tab=agentv6v7#agent-log-level
 
 [9]: /tracing/trace_collection/library_config/
+
+[10]: /account_management/workload_identity_federation/#set-up-workload-identity-federation-for-the-datadog-agent