Twilio provides programmatic options to incorporate SMS, Voice, Auth, and Video in your application using only an API key (and code). It is an easy way to add rich functionality to your app; however, if you lose your API key, it's also an easy way to leak sensitive information and rack-up fraudulent charges.
- Understand the Doppler rotation methodology
- Ability to access Twilio Account SID
- Ability to create a main Twilio API Key
Doppler rotates Twilio API keys using our issuer methodology. After you complete the rotated secret creation process, Doppler will create the first rotated secret instance. At the defined frequency, Doppler will then issue a new Twilio key instance before revoking a previous Twilio key instance (reminder: there's always two).
Doppler supports rotating main and standard API keys. A main API key is required for Doppler to facilitate rotating either type, as only main keys provides the ability to issue and revoke keys.
- Main API Keys (Supported)- can act on any Twilio resource including API Keys, Account Configuration, and Subaccounts. You typically won't need these in your application code, but may in in CI/CD, integrations, etc.
- Standard API Keys (Supported)- can act on any Twilio resource but not API Keys, Account Configuration, and Subaccounts. Typically what you'll be using in code.
- Auth Tokens (Not Supported)- the keys to the kingdom - if someone has these, they have access to everything. Don't use them.
Twilio Rotated Secret Creation
- Navigate to the secrets config that the rotated secret will reside in
- Go to the Advanced Secrets tab
- Select New Rotated Secret
- Select Twilio
- Name your integration and provide the following details:
- Twilio Account SID: Found on the Twilio console dashboard, in the Account Info section
- API Key: Create a new Twilio API key in your Twilio dashboard by clicking Account in the top right, and then selecting API Keys and Tokens
- Select Create API Key
- Name your key. Ensure the key type is set to Main.
- Enter the API Key SID and the API Key Secret in the Doppler form.
- Hit Next
- Name your rotated secret. As you do, you'll get a live look at the three secrets we'll be dynamically injecting into your config.
- Select the interval at which you'd like your rotated secret instances to be rotated
- Hit Next
- The setup is complete and Doppler has created the first rotated secret instance, which is immediately available in your config
Updated 6 months ago