Learn how to install the Doppler CLI in your Docker image to inject secrets at container runtime.


  • You've run applications in Docker and have experience building Docker images.


This method installs the Doppler CLI in your Docker image to inject secrets at container runtime.

# Install Doppler CLI
RUN apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg && \
    curl -sLf --retry 3 --tlsv1.2 --proto "=https" '' | gpg --dearmor -o /usr/share/keyrings/doppler-archive-keyring.gpg && \
    echo "deb [signed-by=/usr/share/keyrings/doppler-archive-keyring.gpg] any-version main" | tee /etc/apt/sources.list.d/doppler-cli.list && \
    apt-get update && \
    apt-get -y install doppler
# Install Doppler CLI
RUN wget -q -t3 '' -O /etc/apk/keys/[email protected] && \
    echo '' | tee -a /etc/apk/repositories && \
    apk add doppler
# Install Doppler CLI
RUN rpm --import '' && \
    curl -sLf --retry 3 --tlsv1.2 --proto "=https" '' | tee /etc/yum.repos.d/doppler-cli.repo && \
    yum update -y && \
    yum install -y doppler
# Does not rely on package managers

# Requires curl and gnupg:
#        Alpine: apk add curl gnupg
#   CentOS/RHEL: yum install -y curl gnupg
# Ubuntu/Debian: apt install -y curl GnuPG

RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 || wget -t 3 -qO- | sh

Your Dockerfile will then need to use doppler run in either the ENTRYPOINT or CMD to fetch your secrets at container runtime. As a general rule, CMD is the easiest way to get started, but we'll explore both options below.


Unless you're an experienced Docker user, we recommend using the CMD method as it requires minimal changes to your Dockerfile:

CMD ["doppler", "run", "--", "your-command-here"]
  • Doesn't require an understanding of the difference between ENTRYPOINT and CMD
  • GoodSimple as it works with an existing ENTRYPOINT without requiring changes
  • Easily able to bypass the Doppler CLI by overriding the CMD at container runtime


Setting Doppler as the ENTRYPOINT means any command, whether that be the defined CMD in the Dockerfile or if it's overridden when calling docker run will be spawned by the Doppler CLI:

ENTRYPOINT ["doppler", "run", "--"]
CMD ["your-command-here"]

The Doppler CLI also takes care of forwarding signals from the container runtime to your application process.'

  • Ensures any command used to run the container will have Doppler injected environment variables
  • Requires knowledge of ENTRYPOINT vs. CMD
  • Requires integrating into an existing ENTRYPOINT command or script if defined
  • Bypassing the use of the Doppler CLI in your ENTRYPOINT is tricky


Using an ENTRYPOINT script requires a significantly deeper knowledge of how containers work and in short, it's best to avoid them whenever possible.

I'll provide a brief overview of how an ENTRYPOINT script works below but I would recommend learning in more depth the differences between CMD and ENTRYPOINT if you want to pursue this route.

For a complete example, here is a Dockerfile with a script for the ENTRYPOINTand a defaultCMD`:

FROM alpine

RUN wget -q -t3 '' -O /etc/apk/keys/[email protected] && \
    echo '' | tee -a /etc/apk/repositories && \
    apk add doppler

COPY /usr/local/bin/

ENTRYPOINT ["/usr/local/bin/"]
CMD ["printenv"] # Testing purposes only!

And as is typical for an ENTRYPOINT script, exec will be used to execute the CMD or command. Using exec replaces the process as the new PID 1 in the container.

The replacement of the container PID 1 process means your application process will now receive any signals sent by the container runtime such as SIGINT to trigger a graceful shutdown of your application.

#! /usr/bin/env sh


echo "[info]: Starting application with command - \"${@}.\""
exec "$@"

To clarify things further, if exec wasn't used and we executed the command as-is, the application would appear to start just like before. But this time, the process remains PID 1 and the CMD or command is spawned as a child process.

#! /usr/bin/env sh


echo "[info]: Starting application with command - \"${@}.\""

This means a signal such as SIGINT will be received by the process, not your application. Because your application continues to run, oblivious to any signal sent to the container, the container must be forcibly killed after the allotted grace period.

If you've ever run a container and haven't been able to stop it using CTRL+C for example, a lack of signal forwarding is most likely why.

Your app should always terminate gracefully and this is especially important when essential cleanup is required in order to not leave external services in a bad state.

Moving our focus back to the Dockerfile, the simplest option is to update the CMD to include the doppler run command just like we did earlier as this requires no changes to the ENTRYPOINT script:

ENTRYPOINT ["/usr/local/bin/"]
CMD ["doppler", "run", "--", "printenv"] # Testing purposes only!

But if you wanted to force every command to be run by the Doppler CLI, then you'll need to update your ENTRYPOINT script to use doppler run:

#! /usr/bin/env sh


echo "[info]: Starting application with command - \"${@}\""
exec doppler run -- "$@"

Running the Container

Accessing your secrets in production or CI/CD environments requires a Service Token to provide read-only access to a specific Config within a Project.

When installing the Doppler CLI in your Docker image, the DOPPLER_TOKEN environment variable must be provided to the container so it can fetch secrets:

# The $DOPPLER_TOKEN environment variable should be injected by your platform or deployment process.

docker run -e DOPPLER_TOKEN="$DOPPLER_TOKEN" your-application

Local Development

For local development, an ephemeral Service Token is created each time the container is run:

docker run --rm -it \
  -e DOPPLER_TOKEN="$(doppler configs tokens create docker --max-age 1m --plain)" \


Need more guidance? Reach out via in-product support or in our Community Portal


Amazing Work!

The Doppler CLI is now ready to inject secrets within your containerized application!