GuidesAPISupportStatusCommunitySign Up

AWS Secrets Manager

Sync environment variables to AWS Secrets Manager.

This guide will show you how to set up automatic syncing of Doppler secrets to AWS Secrets Manager.

Prerequisites

  • AWS Console Access
  • AWS IAM access
    • Ability to create IAM roles and Policies
    • Ability to access IAM users

Authorization

Navigate to the project you would like to integrate, click Integrations from the Projects menu, then select AWS Secrets Manager to begin the authorization process.

If this is your first time setting up an integration with AWS Secrets Manager, you'll see the following screen

  • Integration Name: A descriptor for the integration that will be displayed throughout Doppler
  • AWS Role ARN: ARN for the role that Doppler will use to assume into your AWS account. Instructions are covered below

Role Assumption

Doppler uses an IAM role you provide to assume into your account. The role will leverage the policy below.

Policy

  1. Navigate to the Create New Policy section in the AWS IAM console
  2. Switch to the JSON tab
  3. Enter the following policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSecretsManagerAccess",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:PutSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:TagResource",
                "secretsmanager:UpdateSecret"
            ],
            "Resource": "*"
        }
    ]
}
  1. Optionally provide tags
  2. Name your policy and hit create

Role

  1. Navigate to the create role section of the AWS IAM console
  2. Select AWS account for the Trusted entity type
  3. Select Another AWS account under An AWS account
    1. Enter 299900769157 for the Account ID. This is Doppler's account ID.
  4. Under Options check Require external ID
    1. Enter your workplace slug for the External ID. You can obtain your workplace slug by visiting the Doppler dashboard. In the URL, grab the value after /workplace/
    2. Leave require MFA unchecked
  5. Attach the policy you created above.
  6. Complete the role setup. When the role is created, click the link to it to view its details
  7. Copy its ARN

Configuration

Now chose the config to sync, the AWS region, and optionally, the Path which is used as the secret name prefix. Doppler determines the secret name in AWS Secrets Manager using the format {path}/doppler. For example, if Path is /yodaspeak/production/, the secret will be named /yodaspeak/production/doppler.

1646

Click Setup Integration and Doppler will instantly sync your secrets to AWS! To confirm the integration is working correctly, you can view the secret created in Secrets Manager by clicking the DESTINATION link.

1646

👍

Amazing Work!

You've successfully set up the Doppler AWS Secrets Manager integration! Every time you update your secrets in Doppler, we will automatically update them in AWS Secrets Manager.

Updated 24 days ago