Pulumi ESC vs Doppler
Choosing the right secrets management tool is important, and we want you to have as much information as possible to make the choice that best suits your needs. We’ve created this document to help you understand how Pulumi ESC compares with Doppler.
What is Doppler?
Doppler is a secrets management tool that provides a centralized platform for managing and controlling access to secrets. It supports dynamic secret generation, encryption as a service, and comprehensive access policies.
Pulumi ESC vs. Doppler: Similarities
Like Doppler, Pulumi ESC is a secrets manager for cloud applications and infrastructure. In both ESC and Doppler, secrets can be stored and accessed through a CLI, SDK, or Web editor interface. Secrets can also be pulled from other secrets and password managers. Granular access controls can be implemented across all secrets.
Pulumi ESC vs. Doppler: Key Differences
There are a couple of fundamental differences between Doppler and Pulumi ESC. Doppler has basic per secret inheritance as opposed to fully composable and hierarchical environments of ESC. Second, ESC environments can be managed (create, update, delete) through infrastructure as code. Third, ESC takes a more secure limited privilege path to provisioning dynamic short-term credentials as compared to Doppler.
Here’s a detailed comparison of the two:
Feature | Pulumi ESC | Doppler |
---|---|---|
Architecture | ||
OSS License | Yes, Apache License 2.0 | No |
Document Store | Yes | No |
Key-value Store | Yes | Yes |
Open Ecosystem | Yes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc. | Yes, supports pulling and using secrets from a variety of stores |
Developer Experience | ||
Editing and Authoring | Yes, supports both GUI and IDE editing, with a powerful Document Editor with autocomplete, docs hover, and error checking | Limited, has GUI editor with multiple import formats |
CLI | Yes, available via esc CLI and pulumi CLI | Yes |
Client SDKs | Yes | Yes |
Declarative Provider | Yes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as code | No |
Composability | Yes, simple set up of hierarchical environments that inherit values from imported environments | Limited, can create projects that have secret values that can be individually inherited by other projects |
Versioning | Yes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbers | Yes |
Immutable History & Point in Time Recovery | Yes | Yes |
Values Can Be of Type Secret and Plaintext | Yes | Yes |
Interpolate Values from Other Values | Yes, new dynamic values can be constructed through string interpolation | No |
Branching / Personal Configs | Yes, environments can be forked for testing without rewriting entire environments and overriding specific values | Yes, environments has a root and branches and each developer automatically get their own personal development config per project |
Compare Secrets across Environments | No | No |
In-built Functions | Yes, support for functions like toJSON, fromJSON, fromBase64, toString allows data manipulation for any scenario | Limited, only toJSON and fromJSON available |
Security and Compliance | ||
Audit Logs | Yes | Yes |
Encrypted Secrets Storage | Yes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at rest | Yes, TLS is used for encryption in transit and all secrets are encrypted with AES-GCM |
Access Controls | Yes | Yes |
Secure Dynamic Cloud Provider Credentials | Yes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google Cloud | Limited, OIDC not used to generate dynamic credentials. TTL based leases are used to generate dynamic secrets |
OIDC Trust | Yes, trust relationships are established with third-party OIDC providers | No |
Secure Environment Variables | Yes, the esc run CLI command can be used to specify which secrets are available as environment variables | No, all values are available as environment variables | Plaintext Read Only Mode | Yes, ESC offers a read mode that allows reading only plaintext values while not being able to decrypt secrets or access dynamic credentials | No |
Get Started with Pulumi
Use Pulumi ESC to easily centralize and manage environments, secrets, and configurations. Follow our Get Started guide for ESC to begin. If you want to use Vault or any other secrets manager with ESC, follow the below guides to import secrets from existing secrets managers into ESC environments.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.