EKM configuration guide for AWS KMS

Integrating Doppler EKM with AWS KMS enables an organization to supply an encryption key, which Doppler will use to encrypt an organization's secrets an additional time. Doppler fetches the encryption key each time it needs to read or write a secret. If Doppler's access to the key is revoked or the key is deleted, access to the secrets is not possible.


WARNING: Deleting your key will terminate secret access

If you delete your AWS KMS key, your secrets will become inaccessible. This is not reversible.



  1. Create a new AWS Sub-Account for an isolated IAM User (recommended but not required)
  2. Create an IAM User for Doppler to utilize in retrieving your AWS KMS Key
  3. Create a new AWS KMS Key
  4. Configure the necessary settings in Doppler

New AWS Sub-Account

We strongly recommend creating a new AWS sub-account that is solely dedicated to EKM. This creates isolation from your existing AWS workloads and IAM users.

See the AWS account creation guide for creating a sub-account.


  1. Visit the AWS console
  2. Navigate to IAM
  3. Select Users
  4. Select Add Users
  5. Name your user
  6. Under Access Type, select Access key - Programmatic access. Hit next.
  7. Do not select any permissions. Hit next
  8. Optionally set any tags. Hit next
  9. Review your users and create your user
  10. Capture the Access key ID and Secret Access key. You will need these later.


Head over to the KMS Console.

  1. Select Create Key
  2. Select Symmetric as the key type. Under advanced, you can either pick KMS or CloudHSM
  3. Name your key and optionally provide a description and tags
  4. Do not add the user you just created on the Define key administrative permissions page. Go to the next step
  5. Do select the previously created user on the Define key usage permissions page
  6. Review the configuration and finish. On the summary page, make note of the Key ID

Doppler Configuration

Before heading over to Doppler, ensure you have the following pieces of data:

  • KMS Encryption Key ID
  • IAM User Access key ID
  • IAM User Secret access key

After switching over to Doppler, navigate to the Settings page

  • Scroll down to the EKM section
  • Select AWS Secrets Manager in the service dropdown
  • Fill in the Encryption Key ID, IAM User Access key ID, and IAM User Secret Key
  • The region should be the region you generated the KMS Key in. This cannot be changed later.
  • Hit Save


WARNING: Deleting your key will terminate secret access

If you delete your AWS KMS key, your secrets will become inaccessible. This is not reversible.

Key Rotation

  • We believe AWS KMS automatic key rotation is compatible with Doppler EKM, however, AWS does make it sufficiently testable to enable us to make guarantees
  • Do not use the manual rotation feature in AWS KMS. If you need to rotate your KMS key, please email [email protected].


Do I need to create an AWS sub-account?

You technically don't need a separate account but it's highly recommended in order to keep your Doppler secrets data separate from your existing AWS workloads that may also be using AWS Secrets Manager.

Can I change any of the settings once I've configured EKM?

You cannot change the AWS account, AWS region or KMS Key. You can change the IAM User assuming the new IAM User also has access to the KMS Key.