GCP EKM

EKM configuration guide for GCP KMS

Integrating Doppler EKM with GCP KMS enables an organization to supply an encryption key which Doppler will use to encrypt an organization's secrets an additional time. Doppler fetches the encryption key each time it needs to read or write a secret. If Doppler's access to the key is revoked or the key is deleted, access to the secrets is not possible.

❗️

WARNING: Deleting your key will terminate secret access

If you delete your GCP KMS key, your secrets will become inaccessible. This is not reversible.

Requirements

  • Doppler Admin access
  • Doppler Enterprise plan
  • Ability to create a GCP Service Account
  • Advanced experience with GCP Service Accounts and GCP KMS recommended

Overview

  1. Create a Service Account for Doppler to utilize in retrieving your GCP KMS Key
  2. Create a new GCP KMS Key
  3. Configure the necessary settings in Doppler

New GCP Project

We recommend creating a new GCP project that is solely dedicated to EKM. This creates isolation from your existing GCP workloads.

GCP Service Account

First we need to create a Service Account for Doppler to utilize

  1. Hop into the new GCP Project you created above
  2. Go to IAM & Admin
  3. Go to Service Accounts
  4. Create a new service account
  5. Name your service account and provide an optional description. Hit Continue.
  6. Grant your service account the Cloud KMS CryptoKey Encrypter/Decrypter role. Hit continue.
  7. Hit done.
  8. Select the service account you just created.
  9. Select the keys tab
  10. Select Add Key -> New Key
  11. Select JSON and click Create
  12. A file will be generated. Its contents will be used later

KMS Key

  1. In the GCP console, navigate to Security -> Key Management
  2. Select Create Key Ring
  3. Give your key ring a name and hit create
  4. Name your new key
  5. Protection level can be Software or HSM
  6. Purpose should be Symmetric encrypt/decrypt
  7. Choose your preferred rotation cadence
  8. Create your new key
  9. In the table of keys, in the row for the key you just created, click the 3-dot menu and click Copy Resource Name. Note: it must be the parent key, not a specific version of the key

Doppler Configuration

  1. Visit the Settings page in Doppler
  2. Under EKM, set the Service to Google Secrets Manager
  3. Enter the Key Resource name in the KMS Key Name field
  4. Enter the contents of the Service Account JSON document in the Key input
  5. Hit Save

❗️

WARNING: Deleting your key will terminate secret access

If you delete your GCP KMS key, your secrets will become inaccessible. This is not reversible.

Key Rotation

Doppler supports GCP KMS keys that are rotated

FAQs

Do I need to create a separate GCP project?

You technically don't need a separate account but it's highly recommended in order to keep your Doppler secrets data separate from your existing GCP workloads that may also be using GCP Secrets Manager.


Did this page help you?