Dynamic secrets in action: How to use rotated secrets for enhanced security

Traditionally, secrets management used to be static. Rotating and updating secrets was a manual process, and despite being a best practice, it was not done regularly. Developers had to worry about managing secrets independently, passing them through textfiles and environment variables. It made secrets easily exploitable, leading to breaches, data theft, and financial losses. A change was needed.

Understanding dynamic secrets rotation in Doppler

Doppler’s Rotated Secrets feature combines dynamic secrets and automatic rotation, keeping credentials up to-date and secure. Doppler automatically generates new ones at set intervals while safely retiring the old ones.To manage this process, Doppler uses two rotation methods:

• Issuer Rotation – Creates an entirely new secret and retires the old one.
• Updater Rotation – Updates the existing secret’s value without changing its reference.

Depending on how a service allows secrets to be rotated, Doppler performs rotation through:

• Proxied Rotation – Uses a secure agent(e.g., AWS Lambda) to rotate secrets without exposing services to the internet.
• API Rotation – Calls the service’s public API using API keys or other credentials to create or update secrets directly.

For more details, check out Doppler’s Rotated Secrets documentation.

Prerequisites

Before setting up rotated secrets in Doppler, make sure you have the following:

• An AWS account
• A GitHub account
• A Doppler account

The Doppler account will be used to manage secrets for two GitHub Actions CI/CD pipelines—one for deploying and another for cleaning up a microservice application on AWS. For a successful deployment on Amazon EKS, the pipeline requires AWS access keys from an AWS user with admin access and other environment variables.

Step 1: Forking the GitHub repository

• Follow the link:
• busybrainx99/ecommerce-microservices-k8s
• Fork the repo.

Step 2: Setting up Doppler

When you create a Doppler account, a workplace has to be made, and its workplace ID will be needed to rotate your secrets.

Step 2.1: Locating your workplace ID

• Log into your Doppler account and check the URL in your browser—you’ll see a string of random letters and numbers.
• This is your workplace ID; copy and save it for later use.

Step 2.2: Activating the Team trial plan if needed

• Go to the Billing section of your Doppler account.
• Select the option to try the Team plan (Rotated Secrets is unavailable on the Developer plan).

Step 3: Setting up policies on AWS

You need IAM policies tailored to the Amazon EKS microservices deployment to implement Doppler's Rotated Secrets here.

• Access key management policy for Doppler’s secret rotation.
• EKS management policy for deploying the Kubernetes cluster.
• EC2, S3, DynamoDB tables, and IAM role management policy for handling networking and permissions.

These policies will be attached to IAM users and roles in Step 4.

Step 3.1 Log into AWS and open CloudShell

• Log in to your AWS account.
• Open AWS CloudShell (top-right corner of the AWS Console).
• Confirm you're in the N. Virginia (us-east-1) region, as this tutorial assumes that region.
  • If you choose a different region, use that same region for all steps.

Step 3.2 Creating JSON policy files in CloudShell

• Create the EKS management policy.

Run the following command to create a new policy file:

Paste the policy below, then:

• Press CTRL + X to save.
• Press Y to confirm.
• Press Enter to exit.

• Create the EC2 & IAM management policy.

Run:

Before pasting the policy: Replace the placeholders with your actual values:

• YOUR_AWS_ACCOUNT_ID → Your AWS account number.
• cluster_name → The preferred name of your EKS cluster.

• Create the IAM access key management policy.

Run:

This policy restricts access key management to users with the /doppler/rotate/ path.

Step 3.3 Verify created files

Before proceeding, confirm the JSON files were created successfully by running:

You should see the following files listed:

• eks-policy.json
• ec2-iam-policy.json
• Iam-access-key-policy.json

Step 3.4 Create the IAM policies in AWS

Still in the CloudShell, run the following commands:

Step 3.5 Confirm policies were created

• Check for success messages in the CloudShell terminal. They should look like the figure below.

If a command fails, ensure:

• JSON is correctly formatted.
• File names match the commands.
• AWS CloudShell session is active.
• Verify policies in AWS Console:
  • Go to IAM → Policies and search for the policy names.

Step 4: Setting up IAM roles & users on AWS

In this step, we will:

• Create an IAM user for Doppler to manage rotated secrets.
• Create an IAM role that Doppler will assume to manage AWS access keys.
• Attach the required policies from Step 3 to these users and roles.

Step 4.1 Create the IAM user

Run the following command in AWS CloudShell to create the IAM user:

Explanation:

• User is created under /doppler/rotate/ path for controlled access.
• The user will be used for secret rotation in Doppler.

Step 4.2 Attach policies to the IAM user

Attach the EC2-IAM-Centric-Policy:

Attach the EKS-Centric-Policy:

Here:

• The IAM user is assigned the necessary permissions for EKS and EC2.
• $(aws sts get-caller-identity--query"Account"--output text") dynamically fetches your AWS Account ID.

Step 4.3: Creating the IAM role for Doppler

Having created the IAM user, the next step is to create an IAM role that Doppler will assume.

• Trust entity type: AWS Account (Doppler’s external AWS account).
• External AWS Account ID: Provided in Doppler’s documentation (299900769157).
• External ID: Your Doppler workplace ID(saved earlier from step 2.1).
• Policies to Attach: IAM-Access-Key-Policy.

1. Create a JSON trust policy file

Run the following command in CloudShell to create the trust policy file:

Paste the following JSON trust policy inside:

• Replace DOPPLER_AWS_ACCOUNT_ID.
• Replace YOUR_DOPPLER_WORKPLACE_ID.

Press CTRL + X, then Y, then Enter to save and exit.

• Create the IAM role using CloudShell

Use the following command to create the IAM role and associate the trust policy:

• Attach the required IAM policy to the role

Attach the IAM-Access-Key-Policy so Doppler can rotate secrets:

• Verify IAM setup in AWS console

Instead of verifying each step with CloudShell, go to the AWS IAM Console to confirm everything was set up correctly:

• Navigate to IAM → Users.
• Find microservices-k8s-rotated.
• Confirm that EC2-IAM-Centric-Policy and EKS-Centric-Policy are attached.
• Take note of the IAM User name“microservices-k8s-rotated”.It will be used later.

Check IAM Roles:

• Navigate to IAM → Roles
• Find DopplerSecretsRotationRole
• Open the role and verify:
• The Trust Policy includes Doppler’s AWS account and External ID.
• The IAM-Access-Key-Policy is attached.
• Take note of the role’s ARN. It will be used later.

Step 5: Configuring Doppler for rotated secrets

Since the IAM policies, user, and role are set up, let’s configure Doppler to automatically manage and rotate AWS access keys.

Step 5.1: Create a Doppler project

• Log into Doppler → Go to Doppler.com and sign in.
• Create a new project:
  • Click Projects in the sidebar.
  • Click the“+” icon next to Projects to add a new project.
  • Name it eks-microservice_secret.

• Click the“+” sign under Development Environment to create a branch config inside the project.
• Click on Add First Secret to start adding secrets.

Step 5.2: Add static secrets to Doppler

Apart from the AWS access keys that will be automatically rotated, the GitHub Actions pipeline for this project requires some static environment variables.
Since these values do not pose a security risk, they will be added as static secrets.

• Adding static secrets
  • Within the branch config manually add the following static secret value and name:

Example:

Step 5.3: Add rotated secrets in Doppler

• Scroll down to the Rotated Secrets section.
• Click on Add Rotated Secret.

• Choose AWS IAM User Keys as the secret type.

• Configure the rotation settings:
  • IAM Role ARN: Paste the IAM Role ARN saved in Step 4.3

• Add Rotated secret details:
  • Rotated Secret Name: Use this exact name, as the pipeline is already configured to expect it. (See image below.)
  • IAM User Name: Enter microservices-k8s-rotated, which was created in Step 4.3.
  • Rotation Interval: Choose your preferred rotation interval (e.g., 30 days).

• Click Next and confirm the setup.
  • If done correctly, you should see the access keys provisioned in Doppler.

Step 5.4: Testing rotated secrets

• Check the IAM user’s access keys in AWS
  • Go to AWS IAM Console → Users → microservices-k8s-rotated
  • You should see the same access key as the one displayed in Doppler.

• Manually rotate secrets in Doppler

Even if your rotation interval is set to 30 days, you can force a manual rotation, creating a new secret version.

• In Doppler, go to Rotated Secrets.
• Click the“...”(three-dot menu) on the right side of the rotated secret.
• Click Rotate Now, then confirm the rotation.

• The latest secret version will be provisioned.

Step 6: Synchronizing Doppler with GitHub and running the pipeline

With Doppler managing and rotating secrets, the next step is to sync these secrets with GitHub Actions and trigger the pipeline to deploy the microservices application to AWS.

Step 6.1: Sync Doppler secrets with GitHub Actions

Doppler allows direct synchronization of secrets with GitHub Actions, ensuring that the pipeline always has the latest credentials.
Note: Ensure that you are logged into GitHub in your browser before proceeding to make authorization smoother.

• Configure Doppler’s GitHub integration
  • Go to Config Syncs in your Doppler project folder and click Add Sync.

• Choose GitHub as the integration type and authorize Doppler.

• You will be redirected to GitHub to confirm:
  • To which repositories will Doppler have access?
  • Permissions granted to Doppler.
    
• Choose either:
  • "All repositories"(if you want Doppler to manage multiple projects).
  • Or only the microservice repository(ecommerce-microservices-k8s).
• Click Install to complete authorization.

Configure Github actions sync in Doppler

• After being redirected back to Doppler, choose:
  • Feature: Actions.
  • Repository: Select the forked microservice repo(ecommerce-microservices-k8s).
  • GitHub Environment: Choose Repository Secrets.
  • Config to Sync: Select the Doppler config branch storing your static and rotated AWS secrets.

• Click Set Up Integration and wait for the status to update.
  • If successful, you should see a Sync Status: In Sync.

Verify secrets in GitHub

• Go to GitHub and navigate to the forked ecommerce-microservices-k8s repository.
• Click on Settings → Secrets and Variables → Actions.

You should see all secrets imported from Doppler, including Doppler's meta-variables used for syncing.

Step 6.2: Update Terraform configuration with Doppler secrets

Since Terraform requires S3 bucket and DynamoDB table names, the values must updated before running the pipeline.
Note: This pipeline does not auto-trigger on changes in GitHub; you must manually trigger the deployment in the next step.

• Navigate to the GitHub repository home page.
• Go to the Code section and open the terraform_code/ directory.
• Inside terraform_code/, locate the backend.tf file.
  • Click the edit(pen) icon to modify it.
  • Replace the S3_BUCKET_NAME and DYNAMODB_TABLE_NAME values with the exact names you set in Doppler(Step 5.2).
  • If you are using a different region, replace it as well.
  • Click Commit Changes to save.

• Next, edit the terraform.tfvars file in the same directory.
  • Update the cluster name to match the CLUSTER_NAME from step 5.2.
  • Commit the changes.

Step 6.3: Manually trigger the workflow

With everything set up, let's trigger the pipeline to deploy the microservice to AWS.

• Click on the Actions tab within your Github repository.
• If prompted, enable workflows(if running for the first time).
• You will see two workflows:
  • CI/CD Workflow(to deploy the cluster).
  • Cleanup Workflow(to delete resources after testing).
• Run the CI/CD workflow
  • Click on CI/CD Workflow to expand it.
  • Click Run Workflow and select the branch(e.g., main).
  • Monitor the workflow execution:
    • Click on the running job to view logs.
    • If everything is set up correctly, the pipeline should deploy the EKS cluster and microservices using the secrets provided by Doppler.

• Verify deployment in AWS
  • Go to AWS EKS Console → Check if the cluster and nodes are running.

• Run the cleanup workflow (Optional). Once deployment is verified, you can delete the EKS cluster and other resources to avoid extra costs.
  • Go back to GitHub Actions.
  • Click on Cleanup Workflow.
  • Click Run Workflow and confirm execution.

The cleanup process will delete the cluster and associated AWS resources.

Doppler passed the secrets to the pipeline for deployment. Even after rotation, the secrets auto-synced thanks to Doppler’s meta variables. Now, let’s explore some industry best practices and common pitfalls when working with secrets.

Best practices for secure & efficient secrets management

• Use short-lived secrets
  • Long-lived secrets increase security risks.
  • Regularly rotate and replace sensitive data.
  • Use Doppler’s rotation schedule for automated secret updates.
• Apply least privilege control
  • Restrict access to only those who need it.
  • Example: A team managing encryption shouldn’t be able to rotate secrets.
  • Use Doppler’s RBAC & Scoped API Keys to enforce access control.
• Centralize secrets management
  • Avoid storing secrets in multiple scattered locations.
  • A single source of truth makes tracking, rotating, and securing secrets easier.
  • Use a dedicated secrets manager like Doppler to organize and secure credentials.
• Monitor & audit secret usage
  • Track who is accessing secrets and when.
  • Watch for unusual activity (e.g., unexpected access patterns).
  • Use Doppler’s Access Logs to gain visibility into secret usage and security auditing.

Take control of your secret security

This tutorial demonstrated how to set up automatic secret rotation for an AWS IAM user’s access keys using Doppler. It also covered syncing Doppler with GitHub to ensure secrets are seamlessly injected into pipelines without manual intervention.