Doppler supports rotating secrets for each GCP Cloud SQL database - MySQL, Postgres, and SQL Server. Doppler utilizes the Cloud SQL Admin API to facilitate rotation. There's no need to expose your database to the internet and the GCP Service Account can be narrowly scoped.



Configuring Doppler to facilitate rotation in Cloud SQL consists of:

  1. Creating a narrowly scoped GCP Service Account
  2. Providing the details of the Cloud SQL users to rotate between

GCP Service Account Role

In order to scope the service account as narrowly as possible, you'll first create a custom role for the service account to use.

  1. In the GCP console, under IAM, navigate to RolesSelect Create Role
  2. Provide a Title and ID. Use General Availability for Role Launch Stage
  3. Select Add Permissions
  4. In the filter section, search for and add cloudsql.users.update, cloudsql.users.list, and cloudsql.instances.get
  1. Select Create

GCP Service Account

  1. In the GCP console, navigate to Service Accounts
  2. Select Create Service Account
  3. Name your service account and provide an ID
  4. Select Create and Continue
  5. Under Grant this service account access to project, select the custom role you created above
  6. Select Continue and then select Done

GCP Service Account Key

  1. On GCP Service Account page, select the Service Account you just created above
  2. Select the Keys tab
  3. Select Add Key then Create New Key
  4. Leave JSON selected and click Create. You will use the generated key below

Doppler Cloud SQL Integration

  1. Navigate to the Doppler config you would like to add a rotated secret to
  2. Click the dropdown next to Add Secret and select Add Rotated Secret
  1. Select the engine you'd like to rotate - MySQL, SQL Server, or Postgres
  2. Name your integration and enter the Service Account you created above

Cloud SQL Database Details

  • Rotated Secret Name: The name of the rotated secret object; it will also prefix each of the secrets that Doppler injects into your config. For example, if DB_USER is entered, the following secrets would be injected into your config:
  • Interval: How often your database passwords are rotated
  • Database Instance: The name of your database


During the rotation process, Doppler rotates between the database users you provide during the rotation configuration process. By providing the users to Doppler, Doppler doesn't need the ability to create new users - just update user passwords.

There are no requirements related to the users you provide.