Documentation
SupportStatusCommunitySign Up

AWS SQS

Learn how to forward Activity Logs to an Amazon SQS queue

This guide will show you how to send workplace Activity Logs to an Amazon SQS queue. Doppler delivers logs by assuming an IAM role you create, so there are no long-lived AWS access keys to manage or rotate.

šŸ“·

Requires an upgraded subscription

This feature is exclusive to our Enterprise Plan. Book a demo to see it in action.

Prerequisites

  • AWS Console Access
  • AWS IAM access
    • Ability to create IAM roles and Policies
  • An Amazon SQS queue (Standard type)
  • Doppler Enterprise plan

Overview

When a new Activity Log entry is generated in your Doppler workplace, Doppler assumes an IAM role in your AWS account and sends the log as a message to the SQS queue you specify. From there, you can fan the messages out to any downstream consumer ā€” Lambda, a self-hosted log processor, an EventBridge pipe, or your SIEM of choice.

Create an SQS Queue

If you don't already have an SQS queue to use, create one:

  1. Navigate to the SQS console
  2. Click Create queue
  3. Select Standard queue type
šŸ“˜

Why Standard instead of FIFO?

Activity Log messages are independent events and do not require strict ordering. Standard queues offer
higher throughput and lower cost. FIFO queues are not currently supported.

  1. Give your queue a name (e.g., doppler-activity-logs)
  2. Configure Encryption, Access policy, Dead-letter queue, and other settings as appropriate for your organization. The defaults are sufficient to get started.
  3. Click Create queue
  4. Copy the Queue URL from the queue details page ā€” you'll need it when configuring Doppler
šŸš§

KMS-encrypted queues

If you choose AWS KMS for encryption with a customer-managed key (rather than the default SSE-SQS or an AWS-managed key), you must also grant the Doppler role kms:Decrypt and kms:GenerateDataKey on the key and update the key's policy to allow the role to use it. See the Custom KMS Key policy tab below.

Authorization

Doppler uses an IAM role you provide to assume into your account and send messages to your SQS queue.

Policy

  1. Navigate to the Create New Policy section in the AWS IAM console
  2. Switch to the JSON tab
  3. Enter the appropriate policy from the options below, replacing the Resource value with the ARN of your SQS queue. If the queue uses a custom KMS key for server-side encryption, be sure to use the Custom KMS Key policy.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSQSSendMessage",
      "Effect": "Allow",
      "Action": ["sqs:SendMessage"],
      "Resource": "<your SQS queue ARN>"
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSQSSendMessage",
      "Effect": "Allow",
      "Action": ["sqs:SendMessage"],
      "Resource": "<your SQS queue ARN>"
    },
    {
      "Sid": "AllowKMSAccess",
      "Effect": "Allow",
      "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
      "Resource": "<your KMS key ARN>"
    }
  ]
}
  1. Optionally provide tags
  2. Name your policy and hit create

Role

  1. Navigate to the create role section of the AWS IAM console

  2. Select AWS account for the Trusted entity type

  3. Select Another AWS account under An AWS account

    1. Enter 299900769157 for the Account ID. This is Doppler's account ID.

      šŸ“˜

      By default, AWS creates this trust relationship at the root level (i.e., using an ARN like arn:aws:iam::299900769157:root), which grants permission to any user in Doppler's AWS account. Practically speaking, this is fine because this account is used specifically for production AWS integrations and is locked down securely. However, if you want to lock it down further, you can modify the ARN in the JSON definition to arn:aws:iam::299900769157:user/doppler-integration-operator so it's restricted to the specific user being used for integration operations.

  4. Under Options check Require external ID

    1. Enter your workplace slug for the External ID. You can obtain your workplace slug by visiting the Doppler dashboard. In the URL, grab the value after /workplace/
    2. Leave require MFA unchecked

  5. Attach the policy you created above.

  6. Complete the role setup. When the role is created, click the link to it to view its details

  7. Copy its ARN

Configuration

Browse to the Doppler dashboard and click Settings in the left navigation bar. Scroll down to the SIEM Services section, find the AWS SQS service and click Configure.

Click Add destination and fill in the following:

  • Destination name ā€” a label for this destination (e.g. Primary Log Queue)
  • SQS Queue URL ā€” the full URL of your SQS queue (e.g., https://sqs.us-east-1.amazonaws.com/123456789012/doppler-activity-logs)
  • Role ARN ā€” the ARN of the IAM role you created above

Click Add. Doppler will send a test message to verify the connection. If the connection fails, see Troubleshooting below.

šŸ‘

Nicely Done!

Your workplace is configured to automatically forward activity logs to your SQS queue.

Troubleshooting

AccessDenied when Doppler attempts to assume the role

  • Confirm the trust policy on the role includes arn:aws:iam::299900769157:root (or arn:aws:iam::299900769157:user/doppler-integration-operator) as a trusted principal.
  • Confirm the External ID on the role matches your workplace slug exactly.

AccessDenied on sqs:SendMessage

  • Confirm the IAM policy attached to the role includes sqs:SendMessage for the correct queue ARN.
  • If your queue is encrypted with a customer-managed KMS key, confirm the role has kms:Decrypt and kms:GenerateDataKey on the key and the key policy allows the role to use it.

Messages are being sent but not appearing in your consumer

  • Confirm your consumer is polling the same queue URL and region that you configured in Doppler.
  • Check the queue's Monitoring tab in the AWS console to confirm NumberOfMessagesSent is incrementing.

Updated about 7 hours ago