VOOZH about

URL: https://docs.datadoghq.com/actions/private_actions/use_private_actions/

⇱ Use Private Actions

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/actions/private_actions/use_private_actions.md. A documentation index is available at /llms.txt.

Use Private Actions

This product is not supported for your selected Datadog site. ().

Overview

Private actions allow your Datadog workflows and apps to interact with services hosted on your private network without exposing your services to the public internet. To use private actions, you must install a private action runner on a host in your network, then pair the runner with a Datadog Connection.

For more information about how private actions work, see the full overview page.

Supported private actions

The following integrations support private actions:

Prerequisites

Choose your installation method based on your environment:

Agent-based installation (recommended)
  • Linux or Windows host with Datadog Agent version 7.77.0 or later
  • Or Kubernetes cluster with Datadog Operator version 1.25.0
  • Network access to Datadog: https://
  • An Application key with on_prem_runner_write scope and Actions API Access enabled
Standalone installation
  • Linux host with 2GB of RAM
  • Network access to Datadog: https://, https://config.
  • Docker (with Docker Compose if preferred) or Kubernetes
  • To use App Builder with private actions, you must be able to point a hostname to the private action runner’s container. This hostname must be resolvable by your App users. App Builder calls the hostname using HTTPS, so you must bring your own SSL termination.

Set up a private action runner

Agent-based installation

The recommended way to install a private action runner is through the Datadog Agent. The runner automatically enrolls with Datadog and appears on the Private Action Runners page.

Using Fleet Automation (recommended)

  1. Go to the Fleet Automation install page for Linux.
  2. In Customize your Agent coverage, go to the Optimization & Remediation section and enable the toggle Enable Agent to take action. This creates an Application key with the on_prem_runner_write scope and Actions API Access enabled.
  3. In Install the Agent, add an API key and follow the instructions to run the installation command.
  4. After installation, go to the Private Action Runners page to verify your runner appears on the list.

Manual installation

Create an Application key

  1. Go to Application Keys.
  2. Click New Key and enter a name.
  3. Under Scopes, select on_prem_runner_write.
  4. Enable Actions API Access.
  5. Click Create Key and copy the key value.

Install or upgrade the Datadog Agent

Run the following command to install or upgrade the Agent and enable the private action runner. Replace the placeholder values:

  • <API_KEY>: Your Datadog API key
  • <APP_KEY>: The Application key you created
  • DD_SITE: Your Datadog site (for example, datadoghq.com)
  • DD_PRIVATE_ACTION_RUNNER_ACTIONS_ALLOWLIST: Comma-separated list of actions to allow. See Available actions for the full list.
DD_API_KEY=<API_KEY> \
DD_APP_KEY=<APP_KEY> \
DD_SITE="datadoghq.com" \
DD_PRIVATE_ACTION_RUNNER_ENABLED=true \
DD_PRIVATE_ACTION_RUNNER_ACTIONS_ALLOWLIST=com.datadoghq.script.runPredefinedScript,com.datadoghq.kubernetes.core.listPod \
bash -c "$(curl -L https://install.datadoghq.com/scripts/install_script_agent7.sh)"

Verify the installation

Go to the Private Action Runners page. You should see a new runner on the list. You can create new connections or start using existing ones.

Install or upgrade the Datadog Agent

If you already have the Datadog Agent installed, upgrade to version 7.77.0 or later. See Upgrade to Agent v7 for instructions.

For new installations, download and run the MSI installer. Replace <API_KEY> with your Datadog API key and update DD_SITE if you’re not using the “datadoghq.com”.

# Download the installer
Invoke-WebRequest -Uri "https://windows-agent.datadoghq.com/datadog-agent-7-latest.amd64.msi" -OutFile datadog-agent-7-latest.amd64.msi
# Install the Agent
Start-Process -Wait -PassThru msiexec -ArgumentList '/qn /l*v install.log /i datadog-agent-7-latest.amd64.msi APIKEY="<API_KEY>" DD_SITE="datadoghq.com"'

Create an Application key

  1. Go to Application Keys.
  2. Click New Key and enter a name.
  3. Under Scopes, select on_prem_runner_write.
  4. Enable Actions API Access.
  5. Click Create Key and copy the key value.

Configure the Agent

Edit the C:\ProgramData\Datadog\datadog.yaml file and add the following configuration:

app_key:<YOUR_APP_KEY>private_action_runner:enabled:trueself_enroll:trueactions_allowlist:- "com.datadoghq.script.runPredefinedPowershellScript"- "com.datadoghq.http.request"

See Available actions for the full list of actions you can add to the allowlist. Not all actions are supported on Windows yet. Safe choices for Windows include HTTP and runPredefinedPowershellScript.

Restart the Agent

Restart the Agent to apply the configuration and enroll the runner:

Restart-Service -Force datadogagent

Verify the installation

Go to the Private Action Runners page. You should see a new runner on the list. You can create new connections or start using existing ones.

Follow these steps to install the Private Action Runner on your Datadog Node Agents and Datadog Cluster Agent.

Using Fleet Automation (recommended)

  1. Go to the Fleet Automation install page.
  2. In Select Agent install method, choose Datadog Operator.
  3. In Select your Kubernetes distribution, choose the distribution that matches your environment.
  4. In Customize your Agent coverage, go to the Optimization & Remediation section and enable the toggle Enable Agent to take action. This creates an Application key with the on_prem_runner_write scope and Actions API Access enabled.
  5. In Add the Datadog Helm repository, add an API key.
  6. Follow the remaining Fleet instructions to complete the installation.

Manual installation

Install the Datadog Operator

Install the Datadog Operator version 1.25.0:

helm repo add datadog https://helm.datadoghq.com
helm repo update
helm install datadog-operator datadog/datadog-operator \
 --set image.repository=registry.datadoghq.com/operator \
 --set image.tag=1.25.0

Create an API key and Application key

  1. Create or choose an API key.
  2. Go to Application Keys and create a new key:
    • Under Scopes, select on_prem_runner_write. This scope is required to register the runner and automatically create connections.
    • Enable Actions API Access.

Create Kubernetes secrets

kubectl create secret generic datadog-secret \
 --from-literal api-key=<YOUR_API_KEY> \
 --from-literal app-key=<YOUR_APP_KEY>

Configure and deploy the Datadog Agent

Create a datadog-agent.yaml file with the following content:

  • Set clusterName to a meaningful name for your cluster.
  • Update site to your Datadog site if you’re not using datadoghq.com.
  • The app-key in the secret is required for the Private Action Runner.
  • Adjust actions_allowlist based on your needs. See Available actions for the full list.
apiVersion:datadoghq.com/v2alpha1kind:DatadogAgentmetadata:name:datadogannotations:agent.datadoghq.com/private-action-runner-enabled:"true"agent.datadoghq.com/private-action-runner-configdata:| private_action_runner:
 enabled: true
 actions_allowlist:
 - "com.datadoghq.script.runPredefinedScript"cluster-agent.datadoghq.com/private-action-runner-enabled:"true"cluster-agent.datadoghq.com/private-action-runner-configdata:| private_action_runner:
 enabled: true
 actions_allowlist:
 - "com.datadoghq.script.runPredefinedScript"
 - "com.datadoghq.kubernetes.core.listPod"spec:global:clusterName:<YOUR_CLUSTER_NAME>site:datadoghq.comcredentials:apiSecret:secretName:datadog-secretkeyName:api-keyappSecret:secretName:datadog-secretkeyName:app-keykubelet:tlsVerify:falseoverride:clusterAgent:replicas:2containers:cluster-agent:command:- /entrypoint.shargs:- datadog-cluster-agent- start- -E=/etc/datadog-agent/privateactionrunner.yamlfeatures:logCollection:enabled:truecontainerCollectAll:trueliveContainerCollection:enabled:true

Deploy the Agent:

kubectl apply -f datadog-agent.yaml

Verify the deployment

Check that the cluster agent pods are running:

kubectl get pods

Check the Private Action Runner logs:

kubectl logs -l app.kubernetes.io/component=cluster-agent --tail=1000 | grep private

You should see logs indicating PAR identity secret creation, self-enrollment success, and the runner starting with its URN.

Go to the Private Action Runners page. You should see a new runner on the list.

Follow these steps to install the Private Action Runner on your Datadog Node Agents and Datadog Cluster Agent using Terraform.

Create an API key and Application key

  1. Create or choose an API key.
  2. Go to Application Keys and create a new key:
    • Under Scopes, select on_prem_runner_write. This scope is required to register the runner and automatically create connections.
    • Enable Actions API Access.

Create the Terraform configuration

Note: You must first deploy without the kubernetes_manifest.datadog_agent resource for the CRDs to be created, then add it back.

Create a Terraform file with the following content. Update eks_cluster and other values as needed:

locals {
 helm_chart_version = "2.19.0"
 operator_version = "1.25.0"
 agent_version = "7.77.0"
 eks_cluster = "<YOUR_CLUSTER_NAME>"
}
variable "datadog_api_key" {
 type = string
}
variable "datadog_app_key" {
 type = string
}
terraform {
 required_providers {
 aws = {
 source = "hashicorp/aws"
 version = "~> 5.56.0"
 }
 kubernetes = {
 source = "hashicorp/kubernetes"
 version = "~> 3.0.1"
 }
 helm = {
 source = "hashicorp/helm"
 version = "~> 3.1.1"
 }
 }
}
provider "aws" {
 region = "us-east-1"
}
provider "kubernetes" {
 host = data.aws_eks_cluster.target.endpoint
 token = data.aws_eks_cluster_auth.target.token
 cluster_ca_certificate = base64decode(data.aws_eks_cluster.target.certificate_authority[0].data)
}
provider "helm" {
 helm_driver = "configmap"
 kubernetes = {
 host = data.aws_eks_cluster.target.endpoint
 token = data.aws_eks_cluster_auth.target.token
 cluster_ca_certificate = base64decode(data.aws_eks_cluster.target.certificate_authority[0].data)
 }
}
data "aws_eks_cluster" "target" {
 name = local.eks_cluster
}
data "aws_eks_cluster_auth" "target" {
 name = local.eks_cluster
}
resource "kubernetes_namespace_v1" "namespace" {
 metadata {
 name = "datadog"
 }
}
resource "kubernetes_secret_v1" "datadog" {
 metadata {
 name = "datadog-secret"
 namespace = "datadog"
 }
 data = {
 "api-key" = var.datadog_api_key
 "app-key" = var.datadog_app_key
 }
 depends_on = [kubernetes_namespace_v1.namespace]
}
resource "helm_release" "datadog_operator" {
 name = "datadog-operator"
 repository = "https://helm.datadoghq.com"
 chart = "datadog-operator"
 version = local.helm_chart_version
 namespace = "datadog"
 create_namespace = false
 set {
 name = "image.tag"
 value = local.operator_version
 }
 depends_on = [kubernetes_namespace_v1.namespace]
}
resource "kubernetes_manifest" "datadog_agent" {
 manifest = {
 apiVersion = "datadoghq.com/v2alpha1"
 kind = "DatadogAgent"
 metadata = {
 name = "datadog"
 namespace = "datadog"
 annotations = {
 "agent.datadoghq.com/private-action-runner-enabled" = true
 "agent.datadoghq.com/private-action-runner-configdata" = <<EOF
private_action_runner:
 enabled: true
 actions_allowlist:
 - com.datadoghq.script.runPredefinedScript
EOF
 "cluster-agent.datadoghq.com/private-action-runner-enabled" = true
 "cluster-agent.datadoghq.com/private-action-runner-configdata" = <<EOF
private_action_runner:
 enabled: true
 actions_allowlist:
 - com.datadoghq.script.runPredefinedScript
 - com.datadoghq.kubernetes.core.listPod
EOF
 }
 }
 spec = {
 global = {
 clusterName = local.eks_cluster
 site = "datadoghq.com"
 credentials = {
 apiSecret = {
 secretName = "datadog-secret"
 keyName = "api-key"
 }
 appSecret = {
 secretName = "datadog-secret"
 keyName = "app-key"
 }
 }
 }
 features = {
 apm = {
 enabled = true
 }
 liveProcessCollection = {
 enabled = true
 }
 logCollection = {
 enabled = true
 containerCollectAll = true
 }
 processDiscovery = {
 enabled = true
 }
 }
 override = {
 clusterAgent = {
 image = {
 tag = local.agent_version
 }
 containers = {
 "cluster-agent" = {
 command = ["/entrypoint.sh"]
 args = [
 "datadog-cluster-agent",
 "start",
 "-E=/etc/datadog-agent/privateactionrunner.yaml",
 ]
 }
 }
 }
 nodeAgent = {
 image = {
 tag = local.agent_version
 }
 }
 }
 }
 }
 depends_on = [helm_release.datadog_operator]
}

Deploy

terraform init
terraform apply -var="datadog_api_key=<YOUR_API_KEY>" -var="datadog_app_key=<YOUR_APP_KEY>"

Verify the deployment

Check that the cluster agent pods are running:

kubectl get pods -n datadog

Check the Private Action Runner logs:

kubectl logs -l app.kubernetes.io/component=cluster-agent -n datadog --tail=1000 | grep private

Go to the Private Action Runners page. You should see a new runner on the list.

Using Fleet Automation (recommended)

  1. Go to the Fleet Automation install page.
  2. In Select Agent install method, choose Helm Chart.
  3. In Select your Kubernetes distribution, choose the distribution that matches your environment.
  4. In Customize your Agent coverage, go to the Optimization & Remediation section and enable the toggle Enable Agent to take action. This creates an Application key with the on_prem_runner_write scope and Actions API Access enabled.
  5. In Add the Datadog Helm repository, add an API key.
  6. Follow the remaining Fleet instructions to complete the installation.

Manual installation

Prerequisites

  • Helm 3+
  • Kubernetes cluster with access to kubectl

Create a Kubernetes secret

Create a secret containing your API key and Application key. The Application key must have the on_prem_runner_write scope and Actions API Access enabled.

kubectl create secret generic datadog-secret \
 --from-literal=api-key=<API_KEY> \
 --from-literal=app-key=<APP_KEY>

Configure and install the Helm chart

  1. Add the Datadog Helm repository:

    helm repo add datadog https://helm.datadoghq.com
helm repo update

  2. Create a values.yaml file with the following content:

    Note: To customize the actions allowlist, use datadog.privateActionRunner.actionsAllowlist for the node agent and clusterAgent.privateActionRunner.actionsAllowlist for the cluster agent. For all available configuration options, see datadog.privateActionRunner and clusterAgent.privateActionRunner in the Helm chart.

    datadog:apiKeyExistingSecret:datadog-secretappKeyExistingSecret:datadog-secretsite:datadoghq.comclusterName:<YOUR_CLUSTER_NAME>remoteConfiguration:enabled:trueprivateActionRunner:enabled:trueclusterAgent:enabled:trueenv:- name:DD_PRIVATE_ACTION_RUNNER_ACTIONS_ALLOWLISTvalue:"com.datadoghq.http.request,com.datadoghq.kubernetes.core.listPod"agents:enabled:truecontainers:agent:env:- name:DD_PRIVATE_ACTION_RUNNER_ACTIONS_ALLOWLISTvalue:"com.datadoghq.http.request,com.datadoghq.kubernetes.core.listPod"

  3. Install the Datadog Agent with Helm:

    helm install datadog-agent datadog/datadog -f values.yaml

Verify the installation

Go to the Private Action Runners page. You should see a new runner on the list.

Standalone installation

As an alternative to the agent-based installation, you can run the private action runner as a standalone Docker container or Kubernetes deployment.

  1. Go to Actions Catalog > Private Action Runners, and click New Private Action Runner.
  2. Enter a name for your runner and select the allowed actions.
  3. Create a directory on your host where the runner can store its configuration, such as ./config.
  4. Deploy your runner by following the steps for your container platform:

  1. Click Docker.

  2. Run the provided docker run command on your host, replacing ./config with the path to the directory you created for the runner configuration.

    You can safely ignore the error DATADOG TRACER DIAGNOSTIC - Agent Error: connect ECONNREFUSED.

  1. Click Docker Compose.

  2. Create a docker-compose.yaml file and add the provided YAML, or add the runner stanza to an existing Docker Compose file. For information on creating a Docker Compose file, see the official Compose documentation.

  3. Replace ./config with the path to the directory you created for the runner configuration.

  4. Run docker compose up -d.

    You can safely ignore the error DATADOG TRACER DIAGNOSTIC - Agent Error: connect ECONNREFUSED.

  1. Click Kubernetes.
  2. Confirm that you have installed kubectl on your machine: run kubectl version and verify that there is output.
  3. Confirm that you have installed helm on your machine: run helm version and verify that there is output.
  4. Confirm that you have sufficient permissions to create Kubernetes resources in your cluster.
  5. Follow the instructions provided in the app to:
    1. Enroll the runner and generate the config.
    2. Add the Private Action Runner to your Helm repositories.
    3. Install the Helm chart.
  6. Run kubectl get pods -w and verify that the status of the Private Action Runner pod becomes Ready.

Programmatic installation

As an alternative to the UI-based setup, you can enroll and configure a private action runner programmatically using your API key and Application key. This approach is ideal for automated deployments, CI/CD pipelines, and infrastructure-as-code workflows.

To set up the runner programmatically:

  1. Provide your Datadog API and App keys through the DD_API_KEY and DD_APP_KEY environment variables.
  2. Pass the --with-api-key flag to the runner container.

The runner uses these credentials to register itself with your Datadog organization and assign the App key author as the runner editor.

Example commands

Use the following commands to create an auto-enrollment script that can be rerun for automated deployments. After the runner enrolls successfully, it appears on the Private Action Runners page.

Before running the commands, update the following values:

  • RUNNER_NAME: A unique name for your runner.
  • DD_BASE_URL: Your Datadog site URL (for example, https://app.datadoghq.com).
  • ./config: The path to your runner configuration directory.
  • (Optional) Image version: The container image tag to use for the runner.
export DD_API_KEY="<YOUR_API_KEY>"
export DD_APP_KEY="<YOUR_APP_KEY>"
docker run -d \
 -e DD_BASE_URL=<YOUR_DD_SITE> \
 -e DD_PRIVATE_RUNNER_CONFIG_DIR=/etc/dd-action-runner/config \
 -e DD_API_KEY="$DD_API_KEY" \
 -e DD_APP_KEY="$DD_APP_KEY" \
 -e RUNNER_NAME=<YOUR_RUNNER_NAME> \
 -e 'ACTIONS_ALLOWLIST=com.datadoghq.http.request' \
 -v ./config:/etc/dd-action-runner/config \
 gcr.io/datadoghq/private-action-runner:v1.17.1 \
 --with-api-key

Create a docker-compose.yaml file with the following content. For more information, see the official Compose documentation.

# docker-compose.yamlversion:'3.8'services:private-runner:image:gcr.io/datadoghq/private-action-runner:v1.17.1command:["--with-api-key"]environment:DD_API_KEY:${DD_API_KEY}DD_APP_KEY:${DD_APP_KEY}DD_BASE_URL:<YOUR_DD_SITE>DD_PRIVATE_RUNNER_CONFIG_DIR:/etc/dd-action-runner/configRUNNER_NAME:my-compose-runnerRUNNER_MODES:pullACTIONS_ALLOWLIST:"com.datadoghq.http.request"volumes:- "./config:/etc/dd-action-runner/config"

Run with:

export DD_API_KEY="<YOUR_API_KEY>"
export DD_APP_KEY="<YOUR_APP_KEY>"
DD_API_KEY=$DD_API_KEY DD_APP_KEY=$DD_APP_KEY docker compose up -d
  1. Generate the runner configuration:
export DD_API_KEY="<YOUR_API_KEY>"
export DD_APP_KEY="<YOUR_APP_KEY>"
docker run \
 -e DD_BASE_URL=<YOUR_DD_SITE> \
 -e DD_PRIVATE_RUNNER_CONFIG_DIR=/etc/dd-action-runner/config \
 -e DD_API_KEY="$DD_API_KEY" \
 -e DD_APP_KEY="$DD_APP_KEY" \
 -e RUNNER_NAME="my-runner" \
 -e 'ACTIONS_ALLOWLIST=com.datadoghq.http.request' \
 -v ./config:/etc/dd-action-runner/config \
 gcr.io/datadoghq/private-action-runner:v1.17.1 \
 --with-api-key --enroll -f helm-values > values.yaml
  1. Deploy the Helm chart:
helm upgrade --install datadog-par datadog/private-action-runner -f values.yaml

When you see the Ready to use status, you can create a new connection for the runner or see it on the Private Action Runners page:

  • To create a new connection for the runner, click Link Runner to New Connection and select an integration.
  • Click View Runner to see the runner on the Private Action Runners page.

See Connect a runner for more information on pairing your runner with a connection.

Manage access

Use role-based access control (RBAC) to control access to your private action runner. To see the list of permissions that apply to private action runner, see Datadog Role Permissions.

You can set permissions on the runner to restrict modifications or prevent new connections from being attached. Available granular permissions include Viewer, Contributor, and Editor.

By default, only the runner’s creator has Editor access. The creator can grant access to additional users, service accounts, roles, or teams.

Permission levels

Viewer
Can view the runner and the connections attached to it
Contributor
Can view and contribute to the runner by attaching new connections to it
Editor
Can view, contribute (attach new connections), and edit the runner

Set permissions on a runner

  1. Navigate to the Edit page of the runner.
  2. In the Who Has Access? section, click Edit access.
  3. Select a user, service account, role, or team from the dropdown menu, then click Add. The selected principal appears at the bottom of the dialog box.
  4. Next to the principal name, select your desired permission from the dropdown menu.
  5. To remove access from a principal, select Remove access from the permissions dropdown menu.
  6. Click Done to finalize the permissions setup.
  7. Click Save to apply the new permissions to the runner.

Connect a runner

Before you can use an action runner, you must pair it with one or more connections.

To pair a runner to a connection:

  1. From the Workflow Automation or App Builder Connections page, click New Connection.
  2. Select the integration you want to connect with your private action runner. For a list of integrations that support private actions, see Supported private actions.
  3. Add a Connection Name and select your runner from the Private Action Runner dropdown.
  4. Add the paths to any required credential files. For more information on credentials, see Handling Private Action Credentials.

Use a private action

To use a private action in your Workflow Automation workflow or App Builder app:

Edit private runners

Edit connections or delete runners

From the Private Action Runner page in Actions Catalog, you can view all of your private runners together with the workflows or apps that use each runner. To edit the connection for a runner, click View Details. Click the trash can icon to delete a runner.

Change the allowlist of a runner

To edit the allowlist for an agent-based private action runner:

Linux:

  1. Edit the private_action_runner.actions_allowlist section in /etc/datadog-agent/datadog.yaml.
  2. Restart the Agent: sudo systemctl restart datadog-agent

Windows:

  1. Edit the private_action_runner.actions_allowlist section in C:\ProgramData\Datadog\datadog.yaml.
  2. Restart the Agent: Restart-Service -Force datadogagent

Kubernetes (Operator):

  1. Update the actions_allowlist in both DatadogAgent manifest annotations:
    • agent.datadoghq.com/private-action-runner-configdata
    • cluster-agent.datadoghq.com/private-action-runner-configdata
  2. Apply the updated manifest: kubectl apply -f datadog-agent.yaml

To edit the allowlist for a standalone private action runner:

  1. Edit the actionsAllowlist section of the config.yaml file in your runner’s environment and add or remove the relevant actions.
  2. Restart the runner by restarting your container or deployment.

Available actions

Note: To configure script actions (runPredefinedScript for Linux or runPredefinedPowershellScript for Windows), see Run a Script with the Private Action Runner.

Debugging

View logs

cat /var/log/datadog/private-action-runner.log

Get-Content C:\ProgramData\Datadog\logs\private-action-runner.log

kubectl logs -l app.kubernetes.io/component=cluster-agent --tail=1000 | grep private

Further reading