1. Docs
  2. Pulumi ESC
  3. Compare to...
  4. Pulumi ESC vs Doppler

Pulumi ESC vs Doppler

    Choosing the right secrets management tool is important, and we want you to have as much information as possible to make the choice that best suits your needs. We’ve created this document to help you understand how Pulumi ESC compares with Doppler.

    What is Doppler?

    Doppler is a secrets management tool that provides a centralized platform for managing and controlling access to secrets. It supports dynamic secret generation, encryption as a service, and comprehensive access policies.

    Pulumi ESC vs. Doppler: Similarities

    Like Doppler, Pulumi ESC is a secrets manager for cloud applications and infrastructure. In both ESC and Doppler, secrets can be stored and accessed through a CLI, SDK, or Web editor interface. Secrets can also be pulled from other secrets and password managers. Granular access controls can be implemented across all secrets.

    Pulumi ESC vs. Doppler: Key Differences

    There are a couple of fundamental differences between Doppler and Pulumi ESC. Doppler has basic per secret inheritance as opposed to fully composable and hierarchical environments of ESC. Second, ESC environments can be managed (create, update, delete) through infrastructure as code. Third, ESC takes a more secure limited privilege path to provisioning dynamic short-term credentials as compared to Doppler.

    Here’s a detailed comparison of the two:

    FeaturePulumi ESCDoppler
    Architecture
    OSS LicenseYes, Apache License 2.0No
    Document StoreYesNo
    Key-value StoreYesYes
    Open EcosystemYes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc.Yes, supports pulling and using secrets from a variety of stores
    Developer Experience
    Editing and AuthoringYes, supports both GUI and IDE editing, with a powerful Document Editor with autocomplete, docs hover, and error checkingLimited, has GUI editor with multiple import formats
    CLIYes, available via esc CLI and pulumi CLIYes
    Client SDKsYesYes
    Declarative ProviderYes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as codeNo
    ComposabilityYes, simple set up of hierarchical environments that inherit values from imported environmentsLimited, can create projects that have secret values that can be individually inherited by other projects
    VersioningYes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbersYes
    Immutable History & Point in Time RecoveryYesYes
    Values Can Be of Type Secret and PlaintextYesYes
    Interpolate Values from Other ValuesYes, new dynamic values can be constructed through string interpolationNo
    Branching / Personal ConfigsYes, environments can be forked for testing without rewriting entire environments and overriding specific valuesYes, environments has a root and branches and each developer automatically get their own personal development config per project
    Compare Secrets across EnvironmentsNoNo
    In-built FunctionsYes, support for functions like toJSON, fromJSON, fromBase64, toString allows data manipulation for any scenarioLimited, only toJSON and fromJSON available
    Security and Compliance
    Audit LogsYesYes
    Encrypted Secrets StorageYes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at restYes, TLS is used for encryption in transit and all secrets are encrypted with AES-GCM
    Access ControlsYesYes
    Secure Dynamic Cloud Provider CredentialsYes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google CloudLimited, OIDC not used to generate dynamic credentials. TTL based leases are used to generate dynamic secrets
    OIDC TrustYes, trust relationships are established with third-party OIDC providersNo
    Secure Environment VariablesYes, the esc run CLI command can be used to specify which secrets are available as environment variablesNo, all values are available as environment variables
    Plaintext Read Only ModeYes, ESC offers a read mode that allows reading only plaintext values while not being able to decrypt secrets or access dynamic credentialsNo

    Get Started with Pulumi

    Use Pulumi ESC to easily centralize and manage environments, secrets, and configurations. Follow our Get Started guide for ESC to begin. If you want to use Vault or any other secrets manager with ESC, follow the below guides to import secrets from existing secrets managers into ESC environments.

    AWS
    Azure
    Google Cloud
    Vault
      PulumiUP 2024. Watch On Demand.