Cloud 66

reading time 5 mins

This guide will show you how to securely manage secrets for Cloud 66 hosted applications, either by syncing secrets to Cloud 66's environment variables store or injecting environment variables directly into your application using the Doppler CLI.

As Cloud 66 can deploy containerized applications to a Kubernetes cluster, as well as Ruby on Rails and Node.js applications to a Virtual Machine provider, the documentation will be broken up to cover these two deployment targets separately.


Import Variables

You will need to import your Cloud 66 environment variables to Doppler before continuing as Doppler will now act as the source of truth for app config and secrets for Cloud 66 application environments.

You can use the Doppler dashboard to enter them manually or you can try to use the Cloud 66 Toolbelt and Doppler CLI to import them programmatically:

cx env-vars download \
  --stack your-stack-name \
  --file cloud66-vars.json \
  --file-type json

doppler secrets upload cloud66-vars.json

rm cloud66-vars.json

Service Token

To sync your secrets to Cloud 66 as part of a CI/CD job, the Doppler CLI requires a Service Token to provide read-only access to a specific config and is exposed to the CLI via the DOPPLER_TOKEN environment variable.

Service Token usage will be covered in greater detail in the following sections.



It's recommended to first review our Docker documentation to get a sense of which option might suit you best in more detail.

When deploying containerized Cloud 66 applications to a Kubernetes cluster, you have two options for supplying secrets as environment variables to your applications:

Option 1: Embedded Doppler CLI (recommended)

The Doppler CLI is embedded into the Docker image and uses a Doppler Service Token environment variable named DOPPLER_TOKEN which is set in Cloud 66 for the specified application.

Then when the container is run, the Doppler CLI fetches the latest version of your secrets and injects them into your application as environment variables.

This is the recommended and simplest approach and your Dockerfile only needs a couple of small changes to install and configure the Doppler CLI to run your application:

# Install the Doppler CLI
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 || wget -t 3 -qO- | sh

# Use the Doppler CLI inject secrets into your application process
CMD ["doppler", "run", "--", "npm", "start"]

Check out our Docker documentation to learn more, including a complete working example of a Dockerfile you can use for local testing and educational purposes.

Option 2: Cloud 66 Environment Variables

If you're unable to install the Doppler CLI in your Docker image, you'll need to sync secrets from Doppler to Cloud 66 programmatically, usually via CI/CD such as a GitHub Action.

The process for syncing secrets from Doppler to Cloud 66 is the same for both containerized and virtual machine hosted Rails and Node.js apps so we'll cover that in the next section.

Doppler Secrets Sync (Containers, Node.js, and Rails Applications)

If using a Virtual Machine provider such as AWS or DigitalOcean, or containerized application without the Doppler CLI installed, syncing secrets from Doppler to Cloud 66 programmatically, usually via CI/CD such as a GitHub Action is the best solution.

You'll need to expose the Doppler Service Token value as the DOPPLER_TOKEN environment variable in your CI/CD environment (e.g. GitHub Secret) which the Doppler CLI will use to gain read-only access to the secrets for which the Service Token provided access.

Presuming that your CI/CD environment has the Toolbelt CLI installed and authenticated, your secrets can be synced from Doppler to Cloud 66 with a single command:

cx env-vars upload \
  --stack your-stack-name \
  --file-type json \
  --file <(doppler secrets download --no-file --format json) \
  --apply-strategy immediately # You may want to change this to deployment instead


Awesome Work!

Now you know how to use Doppler to supply secrets to your Cloud 66 applications.