docs.doppler.com
Open in
urlscan Pro
2606:4700::6812:d338
Public Scan
URL:
https://docs.doppler.com/docs/secrets-rotation
Submission: On March 01 via manual from IN — Scanned from DE
Submission: On March 01 via manual from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Jump to Content
GuidesAPICommunity
--------------------------------------------------------------------------------
GuidesAPIStatusCommunitySign Up
Guides
GuidesAPIStatusCommunitySign Up
Guides
Automated Secrets Rotation
Search
CTRL-K
HomeWelcome 👋Get StartedTutorialsDemo VideosSecuritySecrets ManagerDoppler
ShareWorkplaceTeam ManagementDomain VerificationUser GroupsSAML SSO + SCIMAuth0
SAML SSOAWS SAML SSOAzure AD SAML SSOGoogle SAML SSOJumpCloud SAML SSOJumpCloud
SCIMOkta SAML SSOOkta SCIMOneLogin SAML SSOOneLogin SCIMActivity LogsMicrosoft
TeamsSlackSplunkSumo LogicDatadogCustom RolesAccess LogsSecrets ManagerInstall
CLICreate ProjectWorkplace StructureProject PermissionsDefault Project
EnvironmentsService TokensRoot ConfigsBranch ConfigsSecretsVersioningAutomated
Secrets RotationAWS Secrets RotationAWS MySQLAWS Postgres RotationAWS IAM
UserCloudflare TokensGCP Cloud SQLSendGridTwilioSupporting Rotation in your
ProductTrusted IPsWebhooksPull RequestsProject TemplatesDynamic SecretsAWS
IAMEnterprise Key ManagementAWS EKMGCP EKMPlatform LimitsFAQSEditorsVisual
Studio CodeNode.jsPythonRubyPyCharmWebStormIntegrationsIntegrationsAWS
BeanstalkAWS LambdaAWS Parameter StoreAWS Secrets ManagerAzure App ServiceAzure
Key VaultAzure DevOps PipelinesBitbucket
PipelinesBuddyCICodefreshCircleCICloudflare PagesCloudflare WorkersCloud
66CronDigitalOceanDockerDockerfileContainer Env VarsHigh AvailabilityDocker
ComposeDirenvEAS BuildFirebase FunctionsFly.ioGCP Cloud BuildGCP Secret
ManagerGitHub ActionsGitLab CI / CDGitPodHerokuJenkinsKubernetesDoppler Secrets
OperatorExternal Secrets OperatorCI/CD Secrets SyncDoppler CLI in
DockerfileLaravel ForgeLaravel
VaporNetlifyPipedreamRailwayRenderServerlessSupabaseTerraformTerraform
CDKVercelWebapp.ioFrameworksPM2Vite.jsEctoCommand LineCLI GuideSecrets Setup
GuideSecrets Access GuideSecrets Setting GuideSecret Injection with
TemplatesMultiple CommandsSecret Fallback
FilesTroubleshootingChangelogPostmanDoppler Postman CollectionSUPPORTWindows
SupportDoppler CLI GnuPG RequirementSecrets Manager SLOClient.Timeout Exceeded
ErrorsToken not found in system keyringRemoval of Deprecated ClientsUpdate
Package Install CommandsSDKsNode.jsGoPHPPythonC#RubyUniversal ImportUniversal
Import Guide
All
Guides
API
Community
START TYPING TO SEARCH…
HOME
* Welcome 👋
* Get Started
* Tutorials
* Demo Videos
SECURITY
* Secrets Manager
* Doppler Share
WORKPLACE
* Team Management
* Domain Verification
* User Groups
* SAML SSO + SCIM
* Auth0 SAML SSO
* AWS SAML SSO
* Azure AD SAML SSO
* Google SAML SSO
* JumpCloud SAML SSO
* JumpCloud SCIM
* Okta SAML SSO
* Okta SCIM
* OneLogin SAML SSO
* OneLogin SCIM
* Activity Logs
* Microsoft Teams
* Slack
* Splunk
* Sumo Logic
* Datadog
* Custom Roles
* Access Logs
SECRETS MANAGER
* Install CLI
* Create Project
* Workplace Structure
* Project Permissions
* Default Project Environments
* Service Tokens
* Root Configs
* Branch Configs
* Secrets
* Versioning
* Automated Secrets Rotation
* AWS Secrets Rotation
* AWS MySQL
* AWS Postgres Rotation
* AWS IAM User
* Cloudflare Tokens
* GCP Cloud SQL
* SendGrid
* Twilio
* Supporting Rotation in your Product
* Trusted IPs
* Webhooks
* Pull Requests
* Project Templates
* Dynamic Secrets
* AWS IAM
* Enterprise Key Management
* AWS EKM
* GCP EKM
* Platform Limits
* FAQS
EDITORS
* Visual Studio Code
* Node.js
* Python
* Ruby
* PyCharm
* WebStorm
INTEGRATIONS
* Integrations
* AWS Beanstalk
* AWS Lambda
* AWS Parameter Store
* AWS Secrets Manager
* Azure App Service
* Azure Key Vault
* Azure DevOps Pipelines
* Bitbucket Pipelines
* BuddyCI
* Codefresh
* CircleCI
* Cloudflare Pages
* Cloudflare Workers
* Cloud 66
* Cron
* DigitalOcean
* Docker
* Dockerfile
* Container Env Vars
* High Availability
* Docker Compose
* Direnv
* EAS Build
* Firebase Functions
* Fly.io
* GCP Cloud Build
* GCP Secret Manager
* GitHub Actions
* GitLab CI / CD
* GitPod
* Heroku
* Jenkins
* Kubernetes
* Doppler Secrets Operator
* External Secrets Operator
* CI/CD Secrets Sync
* Doppler CLI in Dockerfile
* Laravel Forge
* Laravel Vapor
* Netlify
* Pipedream
* Railway
* Render
* Serverless
* Supabase
* Terraform
* Terraform CDK
* Vercel
* Webapp.io
FRAMEWORKS
* PM2
* Vite.js
* Ecto
COMMAND LINE
* CLI Guide
* Secrets Setup Guide
* Secrets Access Guide
* Secrets Setting Guide
* Secret Injection with Templates
* Multiple Commands
* Secret Fallback Files
* Troubleshooting
* Changelog
POSTMAN
* Doppler Postman Collection
SUPPORT
* Windows Support
* Doppler CLI GnuPG Requirement
* Secrets Manager SLO
* Client.Timeout Exceeded Errors
* Token not found in system keyring
* Removal of Deprecated Clients
* Update Package Install Commands
SDKS
* Node.js
* Go
* PHP
* Python
* C#
* Ruby
UNIVERSAL IMPORT
* Universal Import Guide
AUTOMATED SECRETS ROTATION
Proactively rotating secrets is widely accepted as necessary to maintain a
strong security posture and mitigate risk. Given the hassle that can be involved
with rotating secrets, it is often avoided.
When secrets need to be rotated immediately, like in the event of a breach or
leak, panic often ensues. Building an exhaustive inventory of where a secret is
being used is rarely achievable, let alone under pressure. Typically, this
becomes an 'ask questions later' moment and the secret is blindly changed (which
is often the right strategy).
Luckily, Doppler has developed a set of rotation capabilities that help you do
all of this and more. Automatically.
> 🚧
>
> THIS FEATURE IS IN BETA
OVERVIEW
Secret rotation is the act of updating a secret with a new value, either
automatically at a defined cadence (preferred) or by manually triggering it.
BENEFITS
The benefits of secrets rotation are many, but can be summarized by:
* Mitigate Risk: limiting the life time of a secret reduces risk in the event
of a leak
* Respond Rapidly: quickly respond from a central location in the event of a
leak, breach, or intrusion - a simple button push to rotate a secret (and
soon secrets)
* Prevent leaks: prevent off-boarded employees from accessing systems they
previously had access to
DIFFICULTY
Historically, it's been difficult to rotate secrets for a number of reasons.
* Effort: the scale of secrets to be rotated can reach into the thousands for
enterprise companies
* Downtime: If you're not utilizing a multi-secret strategy, rotating secrets
can introduce downtime
* Sprawl: without a centralized SecretOps platform, it is difficult to
guarantee the rotation will propagate to all the locations a secret is being
used
DOPPLER SECRETS ROTATION TYPES
Doppler's SecretOps platform enables teams to rotate secrets automatically or
manually, regardless of system location.
PROXIED
Proxied rotation allows you to keep your services closed to the public internet
while maintaining the flexibility of using Doppler to manage the rotation. Your
cloud provider's serverless product (AWS Lambda or GCP Cloud Run) is utilized as
the proxy to facilitate rotation.
* Doppler rotation agents are open source and auditable at any time
* IAM requirements are least-privilege
* The audit history lives in your cloud environment
* Systems are not exposed to the internet
PROXIED ROTATION SECURITY
Proxied rotation was designed to require the minimum possible entitlements;
where entitlements are required, they can be granted with specificity using
features such as IAM conditions.
OPEN SOURCE + SIGNED ROTATION AGENTS
* All rotation agents are open source
* If you don't want to use automatic upgrades, you can choose to manually
upgrade functions once you've read the code
* The rotation agent code is signed and validated using Doppler's signing
profile
SIGNED PAYLOADS
* The invocation payload sent to the rotation agent function is signed and
validated by the agent using Doppler's public key
* All communications occurs over HTTPS
API
API rotation utilizes a service's publicly available API to perform rotation
ROTATION REQUIREMENTS
For Doppler to be able to rotate a secret within a service - proxied and API -
the service must support:
* At least two active secret instances at a time (i.e. two database users)
* Programmatically creating & deleting or updating secrets
TWO SECRET STRATEGY
A two secret strategy refers to alternating between a pair of secrets to
eliminate downtime. For any secret you wish to rotate, there will be two
instances of the secret - two database users, two API keys, two IAM users, etc.
One instance is the active secret instance, the other is the inactive secret
instance.
When you make a request to Doppler, the active secret instance is returned. The
inactive secret instance is still enabled in your service, but it is not
accessible via Doppler; this allows you to discontinue use of it. Halfway
through each rotation interval, the active and inactive instances are switched.
As well, before being set to active, the secret value is rotated in your
service.
TWO SECRET STRATEGY WITH PROXIED ROTATION
The vast majority of services that are rotated utilizing proxied rotation use
the updater method, meaning a secret instance's value is updated on a defined
cadence. When you create the rotated secret, you provide initial secret values,
which are a pair of secrets (typically credentials). This way, Doppler doesn't
have to create new users in your service (i.e. database) - Doppler can just
update the password.
TWO SECRET STRATEGY WITH API ROTATION
Most but not all secrets rotated via API utilize the issuer method. At rotation
time, a new secret instance is created and then a previous secret instance is
deleted. When creating the rotated secret, a seed is not required - Doppler will
facilitate the creation of every instance.
ROTATION TYPES: ISSUER AND UPDATER
Depending on the service Doppler is connecting to, Doppler will leverage one of
two types of rotation:
The rotation interval is how often, in days, a rotated secret instance is
rotated. As mentioned in two secret strategy, when a secret instance transitions
from inactive to active, its value is rotated.
* Issuer: at rotation time, a new secret instance is created and the previous
one is deleted (or inactivated).
* Updater: at rotation time, the value of the existing secret instance is
updated
Your interaction with Doppler doesn't change between the two types - it's purely
based on what the integrating service supports. Note: Doppler prefers issuer as
it makes auditability easier.
ROTATION INTERVAL
The rotation period should be set to the longest time in days, amongst all users
of a secret, it takes for an application to restart. It is recommended to add a
little buffer as well.
Example: three applications use a database credential. The application that
restarts/redeploys the least often does so every four months. The rotation
interval shouldn't be any less than four months or downtime could occur.
ZERO DOWNTIME ROTATION
Preventing downtime when rotating secrets is achievable with the two secret
strategy. What zero downtime means to your organization may vary, but any
use-case should be achievable.
UNDERSTANDING THE TWO SECRET STRATEGY
The two user strategy can initially seem complex, but it is extremely useful .
As a recap:
* Each rotated secret is comprised of two secret instances, but only one secret
instance is active at a time
* Active means that when the secret is requested from Doppler by a user, the
active instance is the only one returned
* The inactive secret instance is still valid, but it is not returned when
the rotated secret is requested from Doppler by the user.
* This gives your applications time to cease using it; this also makes
selecting your rotation period critical
KUBERNETES AUTOMATIC RESTARTS
Our Kubernetes Operator supports automatically redeploying services when a
secret changes. The operator will detect a secret rotation like any other secret
change, redeploying services if you've configured it to do so.
WEBHOOK TRIGGERS
Any time a change is made to a config, including a automatic and manual
rotation, you can choose to fire a webhook event. You can utilize webhooks to
restart the appropriate applications and services.
INTEGRATION SYNCS
Any time a change is made to a config, including a automatic and manual
rotation, we will re-sync your secrets to any configured integrations.
MANAGING USER
Every rotated secret also has a managing user. This user is used to authenticate
when connecting to the service to perform rotation. By leveraging a managing
user, Doppler is able to reduce the likelihood of an unrecoverable state - that
is, we don't support 'updating yourself'.
Doppler highly recommends that the managing user is used only for rotation and
no other purpose - that is, Doppler is the only place these credentials should
live or be used.
IMMEDIATE ROTATION
At any time, a rotated secret can be immediately rotated. When performed, all
the resulting actions that occur when automatically rotating still take place -
webhook triggers, integration syncs, k8s operator detection, etc.
To immediately rotate a secret
1. Visit the advanced secrets tab
2. Locate the secret you want to rotate and click the 3-dot icon in its row
3. Select Rotate now
4. Confirm the rotation.
Note: this will cause the rotation interval to be reset.
ERROR HANDLING
We use exponential back-off when we encounter an error trying to perform
rotation. After a defined number of failures, we will send an email to your
account. Your secrets will still remain active and your systems will not be
impacted.
ROTATION NOTIFICATIONS
Like most other events in Doppler, rotations trigger an Activity Log item.
Depending on which plan you're on, you can receive these events in a number of
tools, including Slack, MSFT Teams, Sumo Logic, and Splunk.
As mentioned above, they also trigger webhook events.
STATE OWNERSHIP
You should assume that Doppler 'owns' the state of a secret once you create a
rotated secret, especially for database credentials. If you configure a rotated
secret in Doppler and then manually mutate the state in your system, Doppler
will no longer be returning the 'correct' secret value, can no longer perform
the proper assertions, and will pause rotation.
ROTATION VS. DYNAMIC SECRETS
Secret rotation introduces a host of benefits that reduce risk and improve
security posture. However, for organizations that are interested in further
reducing risk, Dynamic Secrets can be a superior option. However, there are a
number of trade-offs with Dynamic Secrets that must be taken into consideration
including application architecture, latency, etc. If you have any questions or
would like input, shoot us an email support@doppler.com.
Updated 3 months ago
--------------------------------------------------------------------------------
Versioning
AWS Secrets Rotation
Did this page help you?
Yes
No
* Table of Contents
* * Overview
* Benefits
* Difficulty
* Doppler Secrets Rotation Types
* Proxied
* Proxied Rotation Security
* API
* Rotation Requirements
* Two secret strategy
* Two secret strategy with proxied rotation
* Two secret strategy with API rotation
* Rotation Types: Issuer and Updater
* Rotation Interval
* Zero downtime rotation
* Managing User
* Immediate Rotation
* Error Handling
* Rotation Notifications
* State Ownership
* Rotation vs. Dynamic secrets