Introduction to Secrets Management with Doppler
Items like API keys, database configurations, SSH credentials, and many alike present a need for management and security. Such database configurations, like port numbers, user passwords, and API keys (unique code values used to authenticate API calls and access to APIs) are often vulnerable to security attacks. <!--more--> Without knowing the right tools or management methods, software developers often fail to keep their secrets safe, leading to a poor secret life cycle.
In this tutorial, we'll learn about secrets and manage the secret keys. Later on, we'll look into the best tool/platform you can use as a developer to manage secrets – Doppler.
Overview
This article will cover:
- What are secrets?
- Why manage secrets?
- Unconventional ways to manage secrets
- Doppler
- Conclusion
- Further reading
What are secrets?
As you develop applications, microservices, or containerized apps, you often interact with stuff like 3rd party APIs, user credentials, port numbers, and many other secret keys. These privileged credentials are known as "secrets".
These are private pieces of information that unlock protected resources or sensitive information in tools, application servers, Infrastructure-as-Code (IaC) environments, or even CI/CD pipelines. Secrets need to be handled specially to maintain the security of applications.
Why manage secrets?
Secrets management approaches aim to mitigate the spread of secret keys to external systems.
Mainly, secrets management enables developers to be in charge of:
- How secrets are stored and rotated?
- Who has access to the secrets?
- How often they're shared?
- How frequently they're revoked?
With proper secret management in place, organizations can avoid malicious activities and gain control of their systems.
Unconventional ways to manage secrets
Building scalable and secure applications using any tool can be a difficult task. This is so because fine-grained control is required to check unauthorized access to sensitive information and avoid data leakages.
There are, however, some traditional secret management methods developers get lured into while writing their applications. These methods might not be appropriate for your product. An attempt to use them only leaves your functions or applications vulnerable to attack.
Some of the unconventional ways include:
Environment variables
Some developers find it easier to reference secrets stored in the environment variables outside a source code or version control.
Secret keys stored in environment variables are prone to accidental exposures through child processes, that's what we want to avoid.
Therefore, it is recommended to replace environment variables with external secrets managers such as Doppler and AWS Secrets Manager.
Hard coding secrets
Hard coding involves embedding user IDs, passwords, and other credentials into projects. Hardcoded secrets in public projects can be viewed easily, exposing them to exploits.
Attacking exploits can grab access keys, alter rights and privileges, and perform other malicious acts such as injecting ransomware and viruses into applications.
Storing secrets in public places – Github
Registries and public repositories like Github are places secrets should not be found. These repositories are shared across development teams, testing teams, or possibly with the entire world (as is the case for open-source software), making projects vulnerable.
The best secret management option for projects should avail a seamless secret lifecycle, role-based access control, and encryption for any secret at rest or in transit.
You may now be wondering if there is any optimal and easier way to manage secrets. And yes! There is Doppler available, a secrets manager for your secrets at any level of development.
Doppler
This section will show a simple guide on storing secrets using Doppler. Doppler has a unified dashboard platform that eliminates the need for .env
files, hard coding, or the use of public repositories.
From Doppler's unified dashboard, it is possible to manage teams, projects, and secrets centrally.
Why Doppler?
Doppler is a fault-tolerant, managed, multi-infrastructure service that gives developers an unlimited project environment, unlike traditional secret management options to store secrets locally.
Doppler integrates well with popular cloud providers. It also provides dashboard-based integration of projects with other secret managers such as AWS Secrets Manager, Parameter Store, and Hashicorp Vault.
Doppler CLI
Doppler CLI is a lightweight installable file that provides a consistent experience between developing locally and production.
Whether working locally or in a production environment, you can initiate your application's secrets using the doppler run
command. This will execute your application, with your latest secrets being injected into your working environment.
To install Doppler CLI, it is required to have package managers such as scoop. To reach the Doppler's scoop repository for installation, run the script below in a command prompt:
scoop bucket add doppler https://github.com/DopplerHQ/scoop-doppler.git
After the Doppler bucket is successfully added, you'll install Doppler CLI through the script below:
scoop install doppler
You can initiate the authentication process when the installations are complete by running doppler
login within your command prompt to enter your Doppler account details.
Doppler dashboard
Doppler dashboard is a browser-based interactive platform where users can organize secrets into projects and environments. The Doppler Dashboard has access to secrets in your projects, keeping the local development and Doppler in sync.
Working with Doppler
Within Doppler, you can create as many projects as you need - considering the applications being developed. The secrets in every project can exist in any environment – development, test, load, or production.
Now, it's time to create a project that will handle secrets.
Navigate the Doppler dashboard to the +
button and click to launch a project. You can name your project to reflect what secrets you'll be storing in your workspace.
Any project created in Doppler comes with dev, test, and production environments to help define secret levels.
You can then store secrets singly or import some JSON files with secrets - creating a bulk secrets option.
To do this, click the Add Secret
button that injects a secret key-value into your project for saving.
You can connect the local project environment to your Doppler secrets through the Doppler CLI. Navigate to the existing local project folder within your terminal or code editor and run the snippet below.
The command will set up your current Doppler project in the local development environment:
doppler setup
After connecting your local project with the Doppler project, you can access, filter, and download secret(s) as either plain values or JSON files.
Run the command doppler secrets get DOPPLER_PROJECT DOPPLER_CONFIG --plain
to select your current project and its environment, as shown below:
From here, you can see your project and its environment, whether dev, prod, or staging. Next, we will access secrets stored in the Doppler project.
To get this done, run the following commands in the terminal:
doppler secrets --only-names
doppler secrets
All secrets stored will be as shown in the screenshot below:
The secrets will be injected into your local working environment with the access done.
To check more on how to manipulate secrets using Doppler CLI for your local environment, be sure to check the following page.
Conclusion
In this article, we have learned what secrets are, why they are managed, and how to manage them efficiently for productivity. We also looked into Doppler - a Universal secrets manager that has grown to be the preferred secrets store, handling secrets sprawl, secrets rotation, and traceability.
It is now the perfect time for you to ship your project secrets into a single manageable dashboard as a developer.
Happy coding!
Further reading
Peer Review Contributions by: Srishilesh P S