GCP Secret Manager Integration with Doppler¶

This guide outlines the steps to integrate Doppler with GCP Secret Manager, adhering to Forest arquitecture guidelines.

The official documentation from Doppler can be found here.

Name conventions¶

Secrets Stored in Doppler must follows Forest environment variables conventions.

• Prefix for Doppler secrets in Secret Manager: DOPPLER_.
• Secret Name for each service: <SERVICE-NAME>. This is used as a single secret in GCP with all env vars integrated from Doppler.
• Service account names: doppler-<service-name>.

Prerequisites¶

1. Administrative access to create service accounts, roles, and permissions.
2. Gcloud CLI configured.
3. A Doppler project with secrets ready to sync.

Step 1: Create a Service Account¶

According to the documentation the best way to do this is via GCloud CLI:

# Login into GCloud CLI and set desired project
gcloud auth login
gcloud config set project PROJECT_ID

# To make the process easier, create a service name as variable
SERVICE_NAME="<service-name>";

# To narrow permission scope use this prefix for Doppler accessible secrets, adjust as desired
# This should match the prefix you enter in Doppler when setting up your integration.
# For our use case since just 1 secret is created to manage all env vars. the $SECRET_PREFIX
# must be set as follows.
SECRET_PREFIX="DOPPLER_<SERVICE-NAME>_";

# Get current project
PROJECT_ID=$(gcloud config get-value project --quiet);

# Create a new Service Account.
gcloud iam service-accounts create doppler-$SERVICE_NAME \
  --description="Service account for Doppler to sync secrets for $SERVICE_NAME" \
  --display-name="[$SERVICE_NAME] Doppler Secret Manager";

# Attach SecretManagerAdmin policy to the new service account.
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:doppler-$SERVICE_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/secretmanager.admin" \
  --condition="expression=resource.name.extract(\"secrets/{rest}\").startsWith(\"$SECRET_PREFIX\"),title=\"$SECRET_PREFIX*\"";

Step 2: Create a JSON Key for service account¶

Then we create a new key for the service account to generate the required credentials for Doppler:

# Generate a key for your new service account
gcloud iam service-accounts keys create iam-key.json \
  --iam-account="doppler-$SERVICE_NAME@$PROJECT_ID.iam.gserviceaccount.com";

# Print (and then remove) the JSON credentials
cat iam-key.json && rm iam-key.json;

Step 4: Set Up Doppler Integration¶

1. Open your Doppler project.
2. Navigate to Projects > "project-name" > syncs.
3. Select Add Sync > GCP Secret Manager as the integration type.

1. Go to Create New Connection.
2. Configure the prefix for Doppler secrets as DOPPLER_<SERVICE-NAME>_. For example, DOPPLER_FOREST-BIKES_.

1. Paste the JSON key file for the doppler-<service-name> service account.
2. Complete the setup and sync secrets.

Step 5: Validate the Integration¶

1. In the GCP Console, navigate to Secret Manager.
2. Verify that the secrets from Doppler have been populated with the correct naming convention (DOPPLER_<service-name>-<secret-name>).
3. Test accessing these secrets in your GCP services to ensure permissions and integration work as expected.

Step 6: Maintain and Update Secrets¶

• Adding New Secrets: Add new secrets to Doppler, and they will automatically sync to GCP Secret Manager using the prefix.
• Updating Secrets: Updates in Doppler will propagate to GCP Secret Manager.
• Monitoring: Use GCP logs to monitor secret access and integration health.