This guide will show you how to set up automatic syncing of Doppler secrets to GCP Secret Manager.
- You have a GCP account and are familiar with GCP Secret Manager
- You have the gcloud CLI installed and authenticated
- You have enabled the Secret Manager API for your GCP project
Ensure gcloud is configured to use the correct project, e.g.
gcloud config set project yodaspeakbefore proceeding.
We need to set up a Service Account so Doppler has the required permissions to sync secrets to GCP Secret Manager. This is best done using the
# Get current project PROJECT_ID="$(gcloud config get-value project --quiet)"; # Create a new Service Account gcloud iam service-accounts create doppler-secret-manager \ --description="Service account for Doppler to manage your secrets in Secret Manager" \ --display-name="Doppler Secret Manager"; # Attach SecretManagerAdmin policy to the new service account gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:[email protected]$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.admin";
Then we create a new key for the service account to generate the required credentials for Doppler:
# Generate a key for your new service account gcloud iam service-accounts keys create iam-key.json \ --iam-account="[email protected]$PROJECT_ID.iam.gserviceaccount.com"; # Print (and then remove) the JSON credentials cat iam-key.json && rm iam-key.json;
Copy the JSON credentials output in your shell as you'll need it for the next step.
Navigate to the project you would like to integrate, click Integrations from the Projects menu, then select GCP Secret Manager to begin the authorization process.
Paste the JSON from the shell into the credentials text field, then click Connect.
Now chose the config to sync, the Region(s), and the enter a secret Name.
For region, Automatic replication is recommended, but you can instead specify which regions secrets should be replicated to. Learn more in the GCP Secret Manager replication docs.
Name is the GCP secret that Doppler will sync your secrets to and may only contain alphanumeric characters, dashes, and underscores.
Click "Setup Integration" and you're all set! Click the DESTINATION link in the table to see your secrets in the GCP console.
Doppler sync and secret versions
Every time a secret is changed in Doppler, this will create a new version of the secret in GCP Secret Manager, so ensure sure your code always retrieves the latest version using
You've successfully set up the Doppler GCP Secret Manager integration! Every time you update your secrets in Doppler, we will automatically sync them to GCP Secret Manager, creating a new version of that secret.
Updated 8 months ago