Understanding who has accessed a secret, when they accessed it, and what medium they accessed it through is necessary to be confident in your security posture.
Secret Access Logs allow workplaces to understand which actors have accessed a secret. Users with the appropriate permissions can see the actor, access method, the first time it was read, and the most recent time it was read.
For any secret, you can view the access log by clicking the Access Log icon in the secret row.
When the button is clicked, the access log pane will slide out.
Doppler maintains the first and most recent time an actor accessed a secret. Access is defined as any time an actor makes a request to Doppler to view a secret and a payload containing the secret is returned.
Doppler optimistically marks the secret as accessed as soon as the payload is returned, whether it reaches the actor or not.
If the request does not receive a response payload containing the secret value(s), such as in the case of Kubernetes Operator when it receives a 'no update' response, an access event is not recorded.
A viewer can be any actor authorized to view a secret. Each actor is distinctly represented and filterable in the Access Log table. Actors include:
- Service Tokens
- Personal Access Tokens
- CLI Tokens
- Terraform Provider via token
- Kubernetes Operator via token
- API via token
Any time a secret's name or value is mutated, a new version is created. The access logs are available across all versions within the scope of your plan's access history limits.
The viewable amount of access history is bound by the plan you are on. See the pricing page for plan specifics.
Updated 17 days ago