No touch secrets with Doppler - Part 2

In the first installment of our informative series, we provided a comprehensive overview of how to develop a no-touch secrets solution using the innovative Doppler Secrets Platform. This foundational exploration laid the groundwork for understanding the intricacies involved. In this second entry, we will take a deeper dive into the practical aspects of deploying cloud infrastructure, focusing on the steps and considerations necessary for successful implementation.

To provide a brief recap for those who may need it, we are engaging with a multi-account AWS organization that strategically employs Github Actions, Docker, and Terraform as their preferred technological stack. This sophisticated stack is efficiently managed through a single GitHub repository, which serves as a collaborative space for multiple teams to contribute their expertise. Each team focuses on specific areas of the infrastructure, such as network configuration, perimeter security, database observability, and compute resources, all of which are meticulously defined and documented within this centralized repository. This collaborative approach not only enhances productivity but also ensures consistency and reliability across the organization’s cloud architecture.

The core

At the core of this workflow is a Continuous Integration and Continuous Deployment (CICD) process built around a custom Docker image. This docker image is based on the official aws-cli image, providing a dependable foundation.

Moreover, we have enhanced this image by integrating additional tools, specifically the Doppler CLI and the Terraform CLI. This enhancement enables us to further streamline our processes and effectively utilize the capabilities of these powerful tools.

The Docker image is specifically designed to accept a single command argument, thereby optimizing the overall workflow. This deliberate design choice eliminates the necessity of embedding service account credentials directly within the image, thereby improving both security and operational flexibility while ensuring a cleaner and more secure development environment.

The isolation

In our efforts to ensure account parity across various environments, including production, quality control, and non-production AWS environments, we have implemented the usage of Terraform workspaces as a crucial component of our workflow. Alongside two primary features from Doppler, Service Tokens and the Github Integration, this approach provides us with a secure, easy-to-maintain, no-touch secrets solution.

By strategically leveraging Terraform workspaces, we are able to manage and isolate various configurations effectively. This ensures that each environment functions according to a consistent set of principles and standards, which is crucial for maintaining operational integrity. Such a well-thought-out strategy not only enhances our overall operational efficiency but also significantly reduces discrepancies that might occur due to environmental variations.

Furthermore, the implementation of Doppler Service Tokens allows us to establish isolated and granular access control to the configurations of our Doppler projects. This capability is particularly beneficial for individual pipeline runs, as it ensures that each run aligns perfectly with the specific Terraform workspace environment it operates within. This level of precision is vital for maintaining security and operational clarity.

In accordance with our rigorous change management protocols, our committed Doppler administrators have established a Service Account Token (SAT) Terraform pipeline flow. This Continuous Integration and Continuous Deployment (CICD) pipeline employs the Doppler Terraform provider to effectively generate service account tokens.

The implementation of this system not only improves our operational efficiency but also guarantees that we maintain a comprehensive audit trail, including a merge request and commit history, which enables us to track the creation of service accounts and monitor their designated expiration dates. This thorough approach to token management is crucial for upholding security and accountability within our systems.

The tokens generated from SAT ultimately reside in their respective Doppler project configurations, which include the GitHub integration. Consequently, the end result is a synchronized service account token within the AWS infrastructure project repository, ready for use. This means we can avoid manual interventions after the initial setup, leading to a more efficient management process.

Overall, these tools and strategies combine to create a robust framework that supports our development and operational goals.

The dynamic credential

Now we wouldn’t be doing all of this work if we were just going to leverage a static long lived credential now would we? Luckily for us the folks over at Doppler have recently released a “dynamic credential” capability.

The Doppler Dynamic Credentials feature represents a significant advancement in secrets management. Doppler now offers the ability to have ephemeral credentials that automatically rotate based on configurable time intervals. This capability enables organizations to implement robust security practices by ensuring that access credentials are short-lived and regularly updated.

This approach aligns with security best practices and zero trust principles, making it particularly valuable for organizations managing sensitive environments and compliance requirements. By implementing dynamic credentials, teams can significantly reduce their security attack surface while maintaining operational efficiency.

The deployment

When our infrastructure developers initiate a deployment, it is always happening within GitHub and requires a minimum of 2 code reviews and approvals for production level changes.

It is essential to note that the environment being utilized—whether it is non-production, quality control (QC), or production—requires the selection of a specific Terraform workspace. Each of these workspaces is strategically linked to a corresponding Service Account Token, which plays a crucial role within the execution environment of our GitHub runners.

This system is designed to enhance our operational efficiency and security. By referencing this Service Account Token, we can execute authenticated commands through the doppler-cli. This capability allows us to leverage the dynamically generated, short-lived AWS credentials that are created via dynamic secrets.

Robust secrets management is essential

At the end of the day, anything is certainly preferable to the use of cleartext credentials, which pose significant security risks. Therefore, it becomes essential to establish a robust secrets management program that is designed for ease of use, flexibility, and scalability, ensuring it effectively meets the diverse needs of the organization. Doppler stands out in this space with its innovative features, including service account tokens, seamless GitHub integration, and a Terraform provider. These capabilities not only enable organizations to meet the necessary criteria for secure secrets management but also empower them to exceed these standards, all while operating with confidence and peace of mind.