GuidesAPISupportStatusCommunitySign Up

AWS Secrets Manager

Sync environment variables to AWS Secrets Manager.

This guide will show you how to set up automatic syncing of Doppler secrets to AWS Secrets Manager.

Prerequisites

  • AWS Console Access
  • AWS IAM access
    • Ability to create IAM roles and Policies
    • Ability to access IAM users

Authorization

Navigate to the project you would like to integrate, click Integrations from the Projects menu, then select AWS Secrets Manager to begin the authorization process.

If this is your first time setting up an integration with AWS Secrets Manager, you'll see the following screen

  • Integration Name: A descriptor for the integration that will be displayed throughout Doppler
  • AWS Role ARN: ARN for the role that Doppler will use to assume into your AWS account. Instructions are covered below

Role Assumption

Doppler uses an IAM role you provide to assume into your account. The role will leverage the policy below.

Policy

  1. Navigate to the Create New Policy section in the AWS IAM console
  2. Switch to the JSON tab
  3. Enter the following policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSecretsManagerAccess",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:PutSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:TagResource",
                "secretsmanager:UpdateSecret"
            ],
            "Resource": "*"
        }
    ]
}
  1. Optionally provide tags
  2. Name your policy and hit create

Role

  1. Navigate to the create role section of the AWS IAM console
  2. Select AWS account for the Trusted entity type
  3. Select Another AWS account under An AWS account
    1. Enter 299900769157 for the Account ID. This is Doppler's account ID.
  4. Under Options check Require external ID
    1. Enter your workplace slug for the External ID. You can obtain your workplace slug by visiting the Doppler dashboard. In the URL, grab the value after /workplace/
    2. Leave require MFA unchecked
  5. Attach the policy you created above.
  6. Complete the role setup. When the role is created, click the link to it to view its details
  7. Copy its ARN

Configuration

Now chose the config to sync, the AWS region, and optionally, the Path which is used as the secret name prefix. Doppler determines the secret name in AWS Secrets Manager using the format {path}/doppler. For example, if Path is /yodaspeak/production/, the secret will be named /yodaspeak/production/doppler.

1646

Click Setup Integration and Doppler will instantly sync your secrets to AWS! To confirm the integration is working correctly, you can view the secret created in Secrets Manager by clicking the DESTINATION link.

1646

Importing Secrets

The AWS Secrets Manager integration doesn't currently support importing secrets. However, it's possible to import secrets programmatically using a script like this:

#!/bin/bash

# Check if jq is installed
if ! command -v jq &> /dev/null; then
    echo "jq could not be found, please install jq to process JSON data."
    exit 1
fi

# Check if aws is installed
if ! command -v aws &> /dev/null; then
    echo "aws could not be found, please install the aws CLI."
    exit 1
fi

# Check if doppler is installed
if ! command -v doppler &> /dev/null; then
    echo "doppler could not be found, please install the doppler CLI."
    exit 1
fi

# Configuration Variables
STRIP_SECRET_PATH="false" # strip path from secret name (e.g., changes 'some/path/secret-name' to 'secret-name')
DOPPLER_PROJECT_NAME="your-doppler-project-name"
DOPPLER_CONFIG_NAME="your-doppler-config-name"
AWS_SECRET_ARN="your-aws-secret-arn"

# Get the name of the secret from its metadata
secret_name=$(aws secretsmanager describe-secret --secret-id "$AWS_SECRET_ARN" --query 'Name' --output text)

# Strip the path from the secret name
if [ "$STRIP_SECRET_PATH" = "true" ]; then
    secret_name=$(echo "$secret_name" | awk -F/ '{print $NF}')
fi

# Convert secret name to uppercase and replace disallowed characters with underscores
NORMALIZED_SECRET_NAME=$(echo "$secret_name" | tr '[:lower:]' '[:upper:]' | sed 's/[^A-Z0-9]/_/g')

# Fetch the secret value from AWS Secrets Manager
secret_value=$(aws secretsmanager get-secret-value --secret-id "$AWS_SECRET_ARN" --query 'SecretString' --output text)

SECRETS_JSON=""
# Determine if the secret value is valid JSON
if echo "$secret_value" | jq -e . &> /dev/null; then
    # It's JSON, process all keys to uppercase and save
    SECRETS_JSON=$(echo "$secret_value" | jq 'with_entries(.key |= ascii_upcase)')
else
    # It's plaintext, use the formatted secret name
    SECRETS_JSON="{ \"$NORMALIZED_SECRET_NAME\": \"$secret_value\" }"
fi

# Check if the transformation was successful
if ! ( echo "$SECRETS_JSON" | jq -e . &> /dev/null ); then
    echo "Failed to process JSON data."
    exit 1
fi

# Upload the JSON file to Doppler
doppler secrets upload --project $DOPPLER_PROJECT_NAME --config $DOPPLER_CONFIG_NAME <(echo "$SECRETS_JSON")

If the secret you're importing contains many key/value secret pairs, it will import all of those as separate secrets. If the secret is a plaintext secret, it will import that as a single secret where the name is the normalized path (i.e., it's converted to uppercase and has any character that isn't alphanumeric converted to an underscore). For example, devops/some-app-name/dev/stripe-api-key would be imported as DEVOPS_SOME_APP_NAME_DEV_STRIPE_API_KEY. You can set STRIP_SECRET_PATH to true to have that imported as STRIPE_API_KEY instead.

👍

Amazing Work!

You've successfully set up the Doppler AWS Secrets Manager integration! Every time you update your secrets in Doppler, we will automatically update them in AWS Secrets Manager.

Updated 4 days ago