GuidesAPISupportStatusCommunitySign Up

Access Logs

Understanding who has accessed a secret, when they accessed it, and what medium they accessed it through is necessary to be confident in your security posture.

Overview

Secret Access Logs allow workplaces to understand which actors have accessed a secret. Users with the appropriate permissions can see the actor, access method, the first time it was read, and the most recent time it was read.

Access Logs by Secret

For any secret, you can view the access log by clicking the Access Log icon in the secret row.

When the button is clicked, the access log pane will slide out.

Access Logs by User

For any user, you can view which configs and active masked secrets a user has accessed. To view these logs, browse to the Team area of the dashboard, then click on the user you'd like to view the logs for.

Access

Doppler maintains the first and most recent time an actor accessed a secret. Access is defined as any time an actor makes a request to Doppler to view a secret and a payload containing the secret is returned. Secrets with blank values are not tracked.

📘

Doppler optimistically marks the secret as accessed as soon as the payload is returned, whether it reaches the actor or not.

If the request does not receive a response payload containing the secret value(s), such as in the case of Kubernetes Operator when it receives a 'no update' response, an access event is not recorded.

Click to reveal secret value

In the Doppler dashboard, a secret's value is not fetched and displayed until the user performs an intent to view the secret. An intent is performed by clicking the secret's value input

Viewers

A viewer can be any actor authorized to view a secret. Each actor is distinctly represented and filterable in the Access Log table. Actors include:

  • Users
  • Service Tokens
  • Personal Access Tokens
  • CLI Tokens
  • Terraform Provider via token
  • Kubernetes Operator via token
  • API via token

Versions

Any time a secret's name or value is mutated, a new version is created. The access logs are available across all versions within the scope of your plan's access history limits.

Access History

The viewable amount of access history is bound by the plan you are on. See the pricing page for plan specifics.

Updated 3 months ago