Accessing Secrets

reading time 3 minutes

There are situations where you'll want to access the values of one or more secrets without requiring a command or script using doppler run.

This is what the doppler secrets set of commands is designed for and below are the most common use-cases you're likely to come across:

Accessing

Fetch the plain value of a single secret, e.g. JSON credentials used by a CLI:

doppler secrets get GCP_SERVICE_ACCOUNT_JSON --plain > gcp_credentials.json

You can also use a value of a secret in conjunction with doppler run by using the --command flag, e.g. performing a curl request using Basic Authentication:

doppler run --command='curl -u $USER:$TOKEN https://example.com'

You can download secrets to a file when environment variables aren't sufficient, e.g. supplying a TLS certificate and key to a webserver:

doppler secrets get TLS_CERT --plain > /etc/tls/cert.pem
doppler secrets get TLS_KEY --plain > /etc/tls/key.pem

Get the values of multiple secrets at once in either plain or JSON format:

# Plain
doppler secrets get DOPPLER_PROJECT DOPPLER_CONFIG --plain

# JSON
doppler secrets get DOPPLER_PROJECT DOPPLER_CONFIG --json

You can also get a nice dashboard-style view with the option to exclude the values:

# Names and values
doppler secrets

# Just names
doppler secrets --only-names

Filtering

You can use the doppler secrets download command in conjunction with tools such as grep and jq to get a filtered list of secrets.

Filter secrets in env format using grep:

# Get secrets containing the string "CLOUDWATCH"
doppler secrets download --no-file --format env | grep CLOUDWATCH

# Get secrets starting with "CLOUDWATCH"
doppler secrets download --no-file --format env | grep ^CLOUDWATCH

Filter objects in JSON format using jq:

# Get secrets containing the string "CLOUDWATCH"
doppler secrets download --no-file --format json | \
    jq -r '. | to_entries[] | select(.key | contains("CLOUDWATCH)")) | { (.key): (.value)}' | \
    jq -s add

# Get secrets starting with "CLOUDWATCH"
doppler secrets download --no-file --format json | \
    jq -r '. | to_entries[] | select(.key | startswith("CLOUDWATCH")) | { (.key): (.value)}' | \
    jq -s add

You can also combine filtering with formatting. For example, create an SSH authorized_keys file with the value from secrets with an SSH_PUB_KEY_ prefix.

# If secrets in Doppler were
# SSH_PUB_KEY_SERVER_A="ssh-ed25519 AAA..."
# SSH_PUB_KEY_SERVER_B="ssh-ed25519 BBB..."

doppler secrets download --no-file --format env-no-quotes | grep ^SSH_PUB_KEY_ | cut -d"=" -f2 > authorized_keys && chmod 600 authorized_keys

Downloading

πŸ“˜

Whenever you can avoid downloading secrets in an unencrypted form to the file system, and if so, remove it as soon as possible, e.g. once your application or script exits.

Using the dopper secrets download command, you can download all in a variety of formats:

  • json (default)
  • yaml
  • env
  • env-no-quotes
  • docker

For example, to download secrets as a .env file:

# Avoid storing secrets unencrypted whenever possible
doppler secrets download --no-file --format env > .env

Thanks to the magic that is bash process substitution (meaning this won't work for shell scripts executed with sh), we can use the Doppler CLI to supply secrets to a command expecting a file, but without having to save it locally. Best of both worlds!

Works great with Docker:

docker run \
   --env-file <(doppler secrets download --no-file --format docker) \
    your/image

And Kubernetes:

kubectl create secret generic \
    doppler-env-vars --from-env-file <(doppler secrets download --no-file --format docker)

You can even embed the secrets as part of a larger output, such as syncing Doppler secrets to AWS Lambda using JSON:

aws lambda update-function-configuration \
    --function-name doppler-test \
    --environment $(echo "{\"Variables\":$(doppler secrets download --no-file)}")

You even transform the syntax of secret keys and values using jq when you need a specific format, such as Apache environment variable declarations for a PHP application:

doppler secrets download --no-file | jq -r '. | to_entries[] | "SetEnv \(.key) \"\(.value)\""' > apache/env-vars.conf

That should give you a few ideas for how you can work with Doppler secrets outside of the doppler run command.

Let us know if we've missed anything and we'd be glad to add your tip to the list!


Did this page help you?