AWS EKM
EKM configuration guide for AWS KMS
Integrating Doppler EKM with AWS KMS enables an organization to supply an encryption key, which Doppler will use to encrypt an organization's secrets an additional time. Doppler fetches the encryption key each time it needs to read or write a secret. If Doppler's access to the key is revoked or the key is deleted, access to the secrets is not possible.
WARNING: Deleting your key will terminate secret access
If you delete your AWS KMS key, your secrets will become inaccessible. This is not reversible.
Requirements
- Doppler Admin access
- Doppler Enterprise plan
- Access to create a new AWS sub-account
- Advanced experience with IAM roles and AWS KMS recommended
Overview
- Create a new AWS Sub-Account for an isolated IAM User (recommended but not required)
- Create an IAM User for Doppler to utilize in retrieving your AWS KMS Key
- Create a new AWS KMS Key
- Configure the necessary settings in Doppler
New AWS Sub-Account
We strongly recommend creating a new AWS sub-account that is solely dedicated to EKM. This creates isolation from your existing AWS workloads and IAM users.
See the AWS account creation guide for creating a sub-account.
AWS IAM User
- Visit the AWS console
- Navigate to IAM
- Select
Users
- Select
Add Users
- Name your user
- Under
Access Type
, selectAccess key - Programmatic access
. Hit next. - Do not select any permissions. Hit next
- Optionally set any tags. Hit next
- Review your users and create your user
- Capture the
Access key ID
andSecret Access key
. You will need these later.
KMS Key
Head over to the KMS Console.
- Select
Create Key
- Select Symmetric as the key type. Under advanced, you can either pick KMS or CloudHSM
- Name your key and optionally provide a description and tags
- Do not add the user you just created on the
Define key administrative permissions
page. Go to the next step - Do select the previously created user on the
Define key usage permissions
page - Review the configuration and finish. On the summary page, make note of the Key ID
Doppler Configuration
Before heading over to Doppler, ensure you have the following pieces of data:
- KMS Encryption Key ID
- IAM User Access key ID
- IAM User Secret access key
After switching over to Doppler, navigate to the Settings page
- Scroll down to the EKM section
- Select AWS Secrets Manager in the service dropdown
- Fill in the Encryption Key ID, IAM User Access key ID, and IAM User Secret Key
- The region should be the region you generated the KMS Key in. This cannot be changed later.
- Hit Save
WARNING: Deleting your key will terminate secret access
If you delete your AWS KMS key, your secrets will become inaccessible. This is not reversible.
Key Rotation
- We believe AWS KMS automatic key rotation is compatible with Doppler EKM, however, AWS does make it sufficiently testable to enable us to make guarantees
- Do not use the manual rotation feature in AWS KMS. If you need to rotate your KMS key, please email [email protected].
FAQs
Do I need to create an AWS sub-account?
You technically don't need a separate account but it's highly recommended in order to keep your Doppler secrets data separate from your existing AWS workloads that may also be using AWS Secrets Manager.
Can I change any of the settings once I've configured EKM?
You cannot change the AWS account, AWS region or KMS Key. You can change the IAM User assuming the new IAM User also has access to the KMS Key.
Updated 11 months ago