Troubleshooting Datadog AWS integration stackset deployment failure with HTTP error 403

Hi im trying to get Datadog setup for my org but when trying to deploy the aws integration stackset I’m getting a failure status right away from “DatadogAPICall” custom resource. fails to create, then fails to delete. logs say “Exception during processing: HTTP Error 403: Forbidden”. This is happening in a target account (stackset being deployed to OA). Im using this guide https://docs.datadoghq.com/integrations/guide/aws-organizations-setup/#setup . I am logged in as a full access user on the management account which has all org features enabled. anyone have any insight or should i reach out to support directly?

If you are trying to deploy it via CF and are trying to install the Lambda Forwarder, that more than likely is a S3 bucket creation issue. I gave up on it but here is what support had sent me before I gave up:

• Can you confirm if you already have an IAM role with the same name as the one the CF template is trying to create?
• Do you have an IAM role for CloudFormation that denies s3 access?
• Do you have Secure copy protocol (SCP) that could be blocking s3 access?

If you turn off the Lambda Forwarder, it will probably deploy. I decided to use the integration into our Lambda code.

Hey thanks for getting back. Im not even at the lambda forwarder or log ingestion parts. thats a separate step of the process (and different setup overall). right now i’m just going through the steps that creates the datadog roles and metrics access. from the docs:

The Datadog CloudFormation StackSet performs the following steps:

  1. Deploys the Datadog AWS CloudFormation Stack in every account under an AWS Organization or Organizational Unit.
  2. Automatically creates the necessary IAM role and policies in the target accounts.
  3. Automatically initiates ingestion of AWS CloudWatch metrics and events from the AWS resources in the accounts.
  4. Optionally disables metric collection for the AWS infrastructure. This is useful for Cloud Cost Management (CCM) or Cloud Security Management Misconfigurations (CSM Misconfigurations) specific use cases.
  5. Optionally configures CSM Misconfigurations to monitor resource misconfigurations in your AWS accounts.
    Note: The StackSet does not set up log forwarding in the AWS accounts. To set up logs, follow the steps in the <https://docs.datadoghq.com/integrations/amazon_web_services/#log-collection|Log Collection> guide.

This is what I was talking about. If you go into Integrations / AWS / Add new accounts, I set “Send AWS Logs to Datadog” and the stack deployed without errors.