Case Study: Datadog secures secrets at scale with HashiCorp Vault

Secrets at Scale With HashiCorp Vault at Datadog

Datadog, a SaaS observability platform, needed a secure way to manage and access hundreds of customer-supplied credentials used for third-party integrations. Its existing homegrown secrets engine could not meet future scale, finer-grained access control, or auditing needs, especially because Datadog had to protect both its own secrets and customers’ secrets.

To solve this, Datadog implemented HashiCorp Vault as the core of a new secrets service, using Vault’s transit secrets engine, ACLs, auditing, and flexible authentication across cloud providers and Kubernetes. HashiCorp Vault enabled per-customer secret encryption, revocation, and rollback, and the system scaled from a 1x baseline to 7.6x load without hitting limits. Datadog also fixed a Vault AWS auth issue that reduced login time from 20 seconds to 0.3 seconds, and the service has run successfully in production for over two years.

Datadog

Andrew Glen-Young

Site Reliability Engineering