Allow Docker Agent to bootstrap with api_key: ENC[…] (secrets backend) instead of requiring DD_API_KEY env var

[barakpp]

In Datadog Agent 7.64+ (and especially 7.67+), the Agent binary supports:

• built-in secret backends (secret_backend_type), including Azure Key Vault,
• defining api_key: ENC[…] in datadog.yaml,
• and auto-refreshing API/App keys at runtime with secret_refresh_interval.

This works for host-based installs (systemd/Windows service).
However, the official Docker Agent image refuses to start unless a DD_API_KEY environment variable is set:
"You must set a DD_API_KEY environment variable to run the Datadog Agent container"

That pre-flight check happens in /init before the Agent reads datadog.yaml.
As a result, Docker users cannot use the new secrets backends for API key rotation; they must still bootstrap and inject DD_API_KEY manually and restart containers when the key rotates.

Suggested solution:
Update the Docker Agent startup logic so that:

• If api_key is defined in /etc/datadog-agent/datadog.yaml (including ENC[…] secret handles), the Agent should start and use that.
• Only fall back to requiring DD_API_KEY env if no valid API key is found in config.

This would allow containerized Agents to use built-in secret baAckends for API key management and rotation, exactly as host-based Agents can.

[dd-octo-sts]

This issue has been automatically marked as stale because it has not had activity in the past 15 days.

It will be closed in 30 days if no further activity occurs. If this issue is still relevant, adding a comment will keep it open. Also, you can always reopen the issue if you missed the window.

Thank you for your contributions!