Real-time secrets: Enhancing teamwork without compromising security

Modern applications rarely live in a single environment. They stretch across multiple services, cloud providers, and deployment stages. This fragmentation makes it challenging to manage secrets securely, especially when those secrets must remain synchronized and compliant.

• User authentication runs on GCP and relies on OAuth and MFA secrets.
• Payment processing is hosted on AWS, using Stripe and internal API keys.
• Fraud detection operates in Azure and requires encrypted ML model keys.

How secrets collaboration works in Doppler

Doppler securely stores and syncs your secrets across multiple environments, including local development, CI/CD pipelines, and cloud providers.

1. Upgrade your billing plan: When you create a new Doppler account, you’ll start on the Developer Plan by default. To use Role-Based Access Control(RBAC), you'll need to upgrade to a Teams or Enterprise Plan.
2. Store your secrets in Doppler: Doppler serves as a single source of truth for all your secrets. This step guides you through importing your secrets into the Doppler dashboard for centralized storage and management.
3. Sync secrets to your CI/CD pipeline on GitHub Actions: Once your secrets are stored, you can sync them directly to your CI/CD pipeline on GitHub Actions. This guarantees any changes made in the Doppler dashboard reflect automatically in your pipeline.
4. Manage access with Doppler's Role-Based Access Control: Use RBAC to define roles and set permissions for your team members, it gives you control over who can access specific secrets on your dashboard.

By following these steps, your team can effectively manage secrets while maintaining security and control across all environments.

Prerequisites

What you'll need to get started with Doppler:

• A Doppler account and workplace - If you haven’t set one up yet, check out Doppler’s Getting Started video demo.
• A GitHub Actions CI/CD pipeline - This is where you’ll sync your secrets. If you don’t have one, you can fork this repository. It deploys a Next.js application to an AWS server and requires these secrets:
  • SERVER_IP: The server's IP address.
  • SSH_PRIVATE_KEY: The private key needed for SSH access.

Step 1: Upgrade your billing plan(If Needed)

This guide uses the Doppler RBAC feature, which is available only on the Team or Enterprise Plan. To upgrade your account:

• Sign in to Doppler.
• In the left sidebar, click Billing to open your account's billing section.

• Select the option to try either the Team or Enterprise plan and complete the upgrade process.

Step 2: Store your secrets on the Doppler Dashboard

Follow these steps to store your secrets in Doppler:

• Create a project
• Create an environment
• Import secrets

Step 2.1: Create a project

You can organize your application secrets and configurations for different environments in Doppler.

To create a project:

• In the sidebar, click Projects to open the Projects page.

• Click the + button next to Projects to open the Create Project modal.

• Enter a name and description for your project.

• Click Create Project to finalize the setup.

Step 2.2: Create an environment

You can use environments to organize and manage secrets based on different stages of development. With Doppler, you have access to these three environments by default: Development, Staging, and Production.

To create a custom environment for your CI/CD pipeline:

• Click the …(three-dot menu) in the top right corner of your newly created project page. Select the Create Environment option.

• In the Create Environment modal, enter:
  • Environment Name
  • Slug(a unique identifier for the environment)

• Click Save to create the environment.

To import secrets into your Doppler environment:

• Select your newly created CI/CD environment card to open the config.

• Click the downward arrow next to Add First Secret and choose Import Secrets. This will open the Import Secrets modal.

• Copy and paste the secrets you want to sync with your CI/CD pipeline into the modal.
• Click Import Secrets to upload them. You should see your secrets on the dashboard.
• Click Save at the top right of the page to open the Please Confirm modal.

• If applicable, select additional environments where these secrets should apply. We'll keep this guide limited to the CI/CD environment.
• Click Save to finalize the process.

Step 3: Sync secrets to your CI/CD pipeline on GitHub Actions

Now that your secrets are stored in Doppler, you can sync them with your GitHub Actions CI/CD pipeline by following these steps:

• Open your CI/CD environment page and navigate to the Config Syncs tab to set up synchronization. Alternatively, you can select the Syncs subtab from the left sidebar.

• Click the Add an integration to connect Doppler with a cloud provider link to open the Sync Integrations page.

• Select the GitHub icon to begin the integration setup.

• Click Create New Connection to install Doppler on GitHub, if you don’t have an existing connection. Otherwise, select an existing connection and skip to step 6.
• Choose the GitHub account to link with Doppler and select the repositories where you want to sync secrets. This will redirect you to the GitHub Integration page.
• On the GitHub Integration page, enter the following details:
  • GitHub Feature: Select Actions.
  • Repository: Choose the repository containing your CI/CD pipeline.
  • GitHub environment: Set Repository Secrets as the sync destination
  • Config to sync: Select the CI/CD environment you created that contains your secrets

• Click Set Up Integration to complete the sync process.
• Your Project Page will display the sync status, which shows In Sync if successful.

• Click the Destination URL to view your secrets in your GitHub repository. You should see all secrets imported from Doppler, including Doppler's meta-variables used for syncing.

Step 4: Manage access to secrets with Doppler Role-Based Access Control

Once your secrets are securely stored in Doppler, the next step is to manage access using Doppler's role-based access control(RBAC).

• Workplace Roles: Workplace roles manage user access at the organization-wide level. There are three types:
  • Owner – Has full control over the workspace, including settings, team management, and billing.
  • Admin – Manages secrets at the workspace level, such as creating projects, configuring integrations, and managing project access.
  • Collaborator – Has read-only access to workplace functions and manages secrets within specific environments.
• Project Roles: Project roles control access to individual projects and their environments:
  • Admin – Includes workplace owners and admins. Can manage all aspects of a project, including environments, members, and integrations.
  • Collaborator – Operates at the environment level. Can manage secrets, configure integrations, and add secret reminders.
  • Viewer – Has read-only access to specific environments, with visibility limited to secrets and activity logs.

Also, you can create custom roles tailored to your team's needs with Doppler's Enterprise Plan. The Team Management Documentation provides detailed steps on creating custom roles.

Step 4.1: Add team members to your Doppler

To add team members:

• Click the Team tab in the sidebar to open the Team page.

• Click the Invite Users button in the top right corner. This opens the Invite Users modal.

• In the modal, fill in the following details:
  • Email Address: Enter the email of the team member you want to add.
  • Workplace Role: Assign the Collaborator role to the team member.

• Click Send Invites to send the invitation.
• The recipient will receive an invitation and must authenticate into the Doppler dashboard to join the team.

Step 4.2: Add the Collaborator at the project level

To configure the Collaborator access for team members:

• Click the Projects tab in the sidebar and select the project containing the CI/CD environment for which you want to manage access.

• Click on the Members button at the top right of the page.

• Search for the team member and click the + Add button to grant them access.
• Once added, configure their access by:
  • Selecting the Collaborator role from the dropdown in the ROLE column.

• Choose the CI/CD environment for the team member from the ENVIRONMENTS dropdown.

A team member with the Collaborator role at the workplace and project levels will only see the ci-cd environment on their project page. They can now manage secrets and integrations for this environment alone.

With this setup, you have successfully implemented role-based access control for your CI/CD pipelines, ensuring secure and organized access management.

Wrap-up

Secrets management is often overlooked in the early stages of a project. However, managing those secrets becomes increasingly challenging as your application becomes more complex. Ignoring this crucial aspect can lead to major issues, especially when your application spans multiple environments, making it harder to maintain security, compliance, and synchronization.