Skip to content

Rotate Secrets

Rotate Doppler service tokens. Covers generation, propagation, and verification.

Purpose

Doppler service tokens are long-lived read-only credentials. Rotate on: suspected compromise, engineer offboarding, or scheduled rotation (recommended: every 90 days).

When to use

  • Suspected token compromise
  • Engineer with token access leaves the team
  • Scheduled rotation cadence

Steps

1. Generate new token in Doppler UI

  1. Go to Doppler -> oep project -> select config (oep-stg / mansety-prd / us-prd)
  2. Service Tokens -> Generate Token -> name: k8s-<env>-<date> -> scope: read-only
  3. Copy token value (shown once)

2. Update GH secret

gh secret set DOPPLER_SERVICE_TOKEN_OEP_STG --repo unipuka/soa --body "<new-token>"
# repeat for mansety-prd / us-prd

3. Update K8s Secret via TF

Pass new token as TF env var and apply:

export TF_VAR_doppler_service_token_oep_stg="<new-token>"
direnv exec oep-infra terraform -chdir=oep-infra apply -target=kubernetes_secret.doppler_token_oep_stg

4. Force ESO re-sync

kubectl annotate externalsecret -n oep-stg --all \
  force-sync=$(date +%s) --overwrite

5. Delete old token in Doppler UI

After confirming ESO sync is healthy, delete the old token.

Rollback

If new token doesn't work, generate another or restore from prior token if still in Doppler UI history.

V&V

  • kubectl get clustersecretstore all Valid
  • kubectl get externalsecret -n oep-stg all SecretSynced
  • doppler secrets download --token=$DOPPLER_SERVICE_TOKEN_OEP_STG --no-file --format json returns expected shape