docs.doppler.com Open in urlscan Pro
2606:4700::6812:d338  Public Scan

URL: https://docs.doppler.com/docs/secrets-rotation
Submission: On February 01 via api from NL — Scanned from NL

Form analysis 0 forms found in the DOM

Text Content

Jump to Content

GuidesAPICommunity

--------------------------------------------------------------------------------

GuidesAPIStatusCommunitySign Up
Guides
GuidesAPIStatusCommunitySign Up

Guides
Automated Secrets Rotation
Search
CTRL-K
HomeWelcome 👋Get StartedTutorialsDemo VideosSecuritySecrets ManagerDoppler
ShareWorkplaceTeam ManagementDomain VerificationUser GroupsSAML SSO + SCIMAuth0
SAML SSOAWS SAML SSOAzure AD SAML SSOGoogle SAML SSOJumpCloud SAML SSOJumpCloud
SCIMOkta SAML SSOOkta SCIMOneLogin SAML SSOOneLogin SCIMActivity LogsMicrosoft
TeamsSlackSplunkSumo LogicDatadogCustom RolesAccess LogsSecrets ManagerInstall
CLICreate ProjectProject PermissionsDefault Project EnvironmentsService
TokensRoot ConfigsBranch ConfigsSecretsVersioningAutomated Secrets RotationAWS
Secrets RotationAWS MySQLAWS Postgres RotationAWS IAM UserGCP Cloud
SQLTwilioSendGridTrusted IPsWebhooksPull RequestsProject TemplatesDynamic
SecretsAWS IAMEnterprise Key ManagementAWS EKMGCP EKMPlatform
LimitsFAQSEditorsVisual Studio
CodeNode.jsPythonRubyPyCharmWebStormIntegrationsIntegrationsAWS BeanstalkAWS
LambdaAWS Parameter StoreAWS Secrets ManagerAzure App ServiceAzure Key
VaultAzure DevOps PipelinesBitbucket PipelinesBuddyCICodefreshCircleCICloudflare
PagesCloudflare WorkersCloud 66CronDigitalOceanDockerDockerfileContainer Env
VarsHigh AvailabilityDocker ComposeDirenvEAS BuildFirebase FunctionsFly.ioGCP
Cloud BuildGCP Secret ManagerGitHub ActionsGitLab CI /
CDGitPodHerokuJenkinsKubernetesDoppler Secrets OperatorExternal Secrets
OperatorCI/CD Secrets SyncDoppler CLI in DockerfileLaravel ForgeLaravel
VaporNetlifyPipedreamRailwayRenderServerlessSupabaseTerraformTerraform
CDKVercelWebapp.ioFrameworksPM2Vite.jsEctoCommand LineCLI GuideSecrets Setup
GuideSecrets Access GuideSecrets Setting GuideSecret Injection with
TemplatesMultiple CommandsSecret Fallback
FilesTroubleshootingChangelogSUPPORTWindows SupportDoppler CLI GnuPG
RequirementSecrets Manager SLOClient.Timeout Exceeded ErrorsToken not found in
system keyringRemoval of Deprecated ClientsUpdate Package Install
CommandsSDKsNode.jsGoPHPPythonC#RubyUniversal ImportUniversal Import Guide
All
Guides
API
Community

START TYPING TO SEARCH…


HOME

 * Welcome 👋
 * Get Started
 * Tutorials
 * Demo Videos


SECURITY

 * Secrets Manager
 * Doppler Share


WORKPLACE

 * Team Management
 * Domain Verification
 * User Groups
 * SAML SSO + SCIM
   * Auth0 SAML SSO
   * AWS SAML SSO
   * Azure AD SAML SSO
   * Google SAML SSO
   * JumpCloud SAML SSO
   * JumpCloud SCIM
   * Okta SAML SSO
   * Okta SCIM
   * OneLogin SAML SSO
   * OneLogin SCIM
 * Activity Logs
   * Microsoft Teams
   * Slack
   * Splunk
   * Sumo Logic
   * Datadog
 * Custom Roles
 * Access Logs


SECRETS MANAGER

 * Install CLI
 * Create Project
 * Project Permissions
 * Default Project Environments
 * Service Tokens
 * Root Configs
 * Branch Configs
 * Secrets
 * Versioning
 * Automated Secrets Rotation
   * AWS Secrets Rotation
   * AWS MySQL
   * AWS Postgres Rotation
   * AWS IAM User
   * GCP Cloud SQL
   * Twilio
   * SendGrid
 * Trusted IPs
 * Webhooks
 * Pull Requests
 * Project Templates
 * Dynamic Secrets
   * AWS IAM
 * Enterprise Key Management
   * AWS EKM
   * GCP EKM
 * Platform Limits
 * FAQS


EDITORS

 * Visual Studio Code
   * Node.js
   * Python
   * Ruby
 * PyCharm
 * WebStorm


INTEGRATIONS

 * Integrations
 * AWS Beanstalk
 * AWS Lambda
 * AWS Parameter Store
 * AWS Secrets Manager
 * Azure App Service
 * Azure Key Vault
 * Azure DevOps Pipelines
 * Bitbucket Pipelines
 * BuddyCI
 * Codefresh
 * CircleCI
 * Cloudflare Pages
 * Cloudflare Workers
 * Cloud 66
 * Cron
 * DigitalOcean
 * Docker
   * Dockerfile
   * Container Env Vars
   * High Availability
 * Docker Compose
 * Direnv
 * EAS Build
 * Firebase Functions
 * Fly.io
 * GCP Cloud Build
 * GCP Secret Manager
 * GitHub Actions
 * GitLab CI / CD
 * GitPod
 * Heroku
 * Jenkins
 * Kubernetes
   * Doppler Secrets Operator
   * External Secrets Operator
   * CI/CD Secrets Sync
   * Doppler CLI in Dockerfile
 * Laravel Forge
 * Laravel Vapor
 * Netlify
 * Pipedream
 * Railway
 * Render
 * Serverless
 * Supabase
 * Terraform
 * Terraform CDK
 * Vercel
 * Webapp.io


FRAMEWORKS

 * PM2
 * Vite.js
 * Ecto


COMMAND LINE

 * CLI Guide
 * Secrets Setup Guide
 * Secrets Access Guide
 * Secrets Setting Guide
 * Secret Injection with Templates
 * Multiple Commands
 * Secret Fallback Files
 * Troubleshooting
 * Changelog


SUPPORT

 * Windows Support
 * Doppler CLI GnuPG Requirement
 * Secrets Manager SLO
 * Client.Timeout Exceeded Errors
 * Token not found in system keyring
 * Removal of Deprecated Clients
 * Update Package Install Commands


SDKS

 * Node.js
 * Go
 * PHP
 * Python
 * C#
 * Ruby


UNIVERSAL IMPORT

 * Universal Import Guide


AUTOMATED SECRETS ROTATION

Proactively rotating secrets is widely accepted as necessary to maintain a
strong security posture and mitigate risk. Given the hassle that can be involved
with rotating secrets, it is often avoided.

When secrets need to be rotated immediately, like in the event of a breach or
leak, panic often ensues. Building an exhaustive inventory of where a secret is
being used is rarely achievable, let alone under pressure. Typically, this
becomes an 'ask questions later' moment and the secret is blindly changed (which
is often the right strategy).

Luckily, Doppler has developed a set of rotation capabilities that help you do
all of this and more. Automatically.


> 🚧
> 
> THIS FEATURE IS IN BETA


OVERVIEW

Secret rotation is the act of updating a secret with a new value, either
automatically at a defined cadence (preferred) or by manually triggering it.


BENEFITS

The benefits of secrets rotation are many, but can be summarized by:

 * Mitigate Risk: limiting the life time of a secret reduces risk in the event
   of a leak
 * Respond Rapidly: quickly respond from a central location in the event of a
   leak, breach, or intrusion - a simple button push to rotate a secret (and
   soon secrets)
 * Prevent leaks: prevent off-boarded employees from accessing systems they
   previously had access to


DIFFICULTY

Historically, it's been difficult to rotate secrets for a number of reasons.

 * Effort: the scale of secrets to be rotated can reach into the thousands for
   enterprise companies
 * Downtime: If you're not utilizing a multi-secret strategy, rotating secrets
   can introduce downtime
 * Sprawl: without a centralized SecretOps platform, it is difficult to
   guarantee the rotation will propagate to all the locations a secret is being
   used


DOPPLER SECRETS ROTATION TYPES

Doppler's SecretOps platform enables teams to rotate secrets automatically or
manually, regardless of system location.


PROXIED

Proxied rotation allows you to keep your services closed to the public internet
while maintaining the flexibility of using Doppler to manage the rotation. Your
cloud provider's serverless product (AWS Lambda or GCP Cloud Run) is utilized as
the proxy to facilitate rotation.

 * Doppler rotation agents are open source and auditable at any time
 * IAM requirements are least-privilege
 * The audit history lives in your cloud environment
 * Systems are not exposed to the internet


PROXIED ROTATION SECURITY

Proxied rotation was designed to require the minimum possible entitlements;
where entitlements are required, they can be granted with specificity using
features such as IAM conditions.


OPEN SOURCE + SIGNED ROTATION AGENTS

 * All rotation agents are open source
   * If you don't want to use automatic upgrades, you can choose to manually
     upgrade functions once you've read the code
   * The rotation agent code is signed and validated using Doppler's signing
     profile


SIGNED PAYLOADS

 * The invocation payload sent to the rotation agent function is signed and
   validated by the agent using Doppler's public key
 * All communications occurs over HTTPS


API

API rotation utilizes a service's publicly available API to perform rotation


ROTATION REQUIREMENTS

For Doppler to be able to rotate a secret within a service - proxied and API -
the service must support:

 * At least two active secret instances at a time (i.e. two database users)
 * Programmatically creating & deleting or updating secrets


TWO SECRET STRATEGY

A two secret strategy refers to alternating between a pair of secrets to
eliminate downtime. For any secret you wish to rotate, there will be two
instances of the secret - two database users, two API keys, two IAM users, etc.
One instance is the active secret instance, the other is the inactive secret
instance.

When you make a request to Doppler, the active secret instance is returned. The
inactive secret instance is still enabled in your service, but it is not
accessible via Doppler; this allows you to discontinue use of it. Halfway
through each rotation interval, the active and inactive instances are switched.
As well, before being set to active, the secret value is rotated in your
service.


TWO SECRET STRATEGY WITH PROXIED ROTATION

The vast majority of services that are rotated utilizing proxied rotation use
the updater method, meaning a secret instance's value is updated on a defined
cadence. When you create the rotated secret, you provide initial secret values,
which are a pair of secrets (typically credentials). This way, Doppler doesn't
have to create new users in your service (i.e. database) - Doppler can just
update the password.


TWO SECRET STRATEGY WITH API ROTATION

Most but not all secrets rotated via API utilize the issuer method. At rotation
time, a new secret instance is created and then a previous secret instance is
deleted. When creating the rotated secret, a seed is not required - Doppler will
facilitate the creation of every instance.


ROTATION TYPES: ISSUER AND UPDATER

Depending on the service Doppler is connecting to, Doppler will leverage one of
two types of rotation:

The rotation interval is how often, in days, a rotated secret instance is
rotated. As mentioned in two secret strategy, when a secret instance transitions
from inactive to active, its value is rotated.

 * Issuer: at rotation time, a new secret instance is created and the previous
   one is deleted (or inactivated).
 * Updater: at rotation time, the value of the existing secret instance is
   updated

Your interaction with Doppler doesn't change between the two types - it's purely
based on what the integrating service supports. Note: Doppler prefers issuer as
it makes auditability easier.


ROTATION INTERVAL

The rotation period should be set to the longest time in days, amongst all users
of a secret, it takes for an application to restart. It is recommended to add a
little buffer as well.

Example: three applications use a database credential. The application that
restarts/redeploys the least often does so every four months. The rotation
interval shouldn't be any less than four months or downtime could occur.


ZERO DOWNTIME ROTATION

Preventing downtime when rotating secrets is achievable with the two secret
strategy. What zero downtime means to your organization may vary, but any
use-case should be achievable.


UNDERSTANDING THE TWO SECRET STRATEGY

The two user strategy can initially seem complex, but it is extremely useful .
As a recap:

 * Each rotated secret is comprised of two secret instances, but only one secret
   instance is active at a time
   * Active means that when the secret is requested from Doppler by a user, the
     active instance is the only one returned
   * The inactive secret instance is still valid, but it is not returned when
     the rotated secret is requested from Doppler by the user.
     * This gives your applications time to cease using it; this also makes
       selecting your rotation period critical


KUBERNETES AUTOMATIC RESTARTS

Our Kubernetes Operator supports automatically redeploying services when a
secret changes. The operator will detect a secret rotation like any other secret
change, redeploying services if you've configured it to do so.


WEBHOOK TRIGGERS

Any time a change is made to a config, including a automatic and manual
rotation, you can choose to fire a webhook event. You can utilize webhooks to
restart the appropriate applications and services.


INTEGRATION SYNCS

Any time a change is made to a config, including a automatic and manual
rotation, we will re-sync your secrets to any configured integrations.


MANAGING USER

Every rotated secret also has a managing user. This user is used to authenticate
when connecting to the service to perform rotation. By leveraging a managing
user, Doppler is able to reduce the likelihood of an unrecoverable state - that
is, we don't support 'updating yourself'.

Doppler highly recommends that the managing user is used only for rotation and
no other purpose - that is, Doppler is the only place these credentials should
live or be used.


IMMEDIATE ROTATION

At any time, a rotated secret can be immediately rotated. When performed, all
the resulting actions that occur when automatically rotating still take place -
webhook triggers, integration syncs, k8s operator detection, etc.

To immediately rotate a secret

 1. Visit the advanced secrets tab
 2. Locate the secret you want to rotate and click the 3-dot icon in its row
 3. Select Rotate now

 4. Confirm the rotation.

Note: this will cause the rotation interval to be reset.


ERROR HANDLING

We use exponential back-off when we encounter an error trying to perform
rotation. After a defined number of failures, we will send an email to your
account. Your secrets will still remain active and your systems will not be
impacted.


ROTATION NOTIFICATIONS

Like most other events in Doppler, rotations trigger an Activity Log item.
Depending on which plan you're on, you can receive these events in a number of
tools, including Slack, MSFT Teams, Sumo Logic, and Splunk.

As mentioned above, they also trigger webhook events.


STATE OWNERSHIP

You should assume that Doppler 'owns' the state of a secret once you create a
rotated secret, especially for database credentials. If you configure a rotated
secret in Doppler and then manually mutate the state in your system, Doppler
will no longer be returning the 'correct' secret value, can no longer perform
the proper assertions, and will pause rotation.


ROTATION VS. DYNAMIC SECRETS

Secret rotation introduces a host of benefits that reduce risk and improve
security posture. However, for organizations that are interested in further
reducing risk, Dynamic Secrets can be a superior option. However, there are a
number of trade-offs with Dynamic Secrets that must be taken into consideration
including application architecture, latency, etc. If you have any questions or
would like input, shoot us an email support@doppler.com.



Updated about 2 months ago

--------------------------------------------------------------------------------

Versioning
AWS Secrets Rotation
Did this page help you?
Yes
No
 * Table of Contents
 * * Overview
     * Benefits
     * Difficulty
   * Doppler Secrets Rotation Types
     * Proxied
     * Proxied Rotation Security
     * API
   * Rotation Requirements
   * Two secret strategy
     * Two secret strategy with proxied rotation
     * Two secret strategy with API rotation
   * Rotation Types: Issuer and Updater
   * Rotation Interval
   * Zero downtime rotation
   * Managing User
   * Immediate Rotation
   * Error Handling
   * Rotation Notifications
   * State Ownership
   * Rotation vs. Dynamic secrets