• You've run applications in Docker and have experience building Docker images.

Service Tokens

Accessing your secrets in production or CI/CD environments requires a Service Token to provide read-only access to a specific config. It's exposed to the CLI via the DOPPLER_TOKEN environment variable which should be provided by your CI/CD environment, e.g. GitHub Secret.


This method installs the Doppler CLI in your Docker image to inject secrets at container runtime.

# Install Doppler CLI
RUN apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg && \
    curl -sLf --retry 3 --tlsv1.2 --proto "=https" '' | apt-key add - && \
    echo "deb any-version main" | tee /etc/apt/sources.list.d/doppler-cli.list && \
    apt-get update && \
    apt-get -y install doppler
# Install Doppler CLI
RUN wget -q -t3 '' -O /etc/apk/keys/[email protected] && \
    echo '' | tee -a /etc/apk/repositories && \
    apk add doppler
# Install Doppler CLI
RUN rpm --import '' && \
    curl -sLf --retry 3 --tlsv1.2 --proto "=https" '' | tee /etc/yum.repos.d/doppler-cli.repo && \
    yum update -y && \
    yum install -y doppler
# Does not rely on package managers

# Option 1: Standard
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 || wget -t 3 -qO- | sh

# Option 2: Signature Verification (GnuPG package required)
RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 || wget -t 3 -qO- | sh -s -- --verify-signature

Your Dockerfile will then need to use doppler run in either the ENTRYPOINT or CMD to fetch your secrets at container runtime. As a general rule, CMD is the easiest way to get started, but we'll explore both options below.

CMD method

Unless you're an experienced Docker user, we recommend using the CMD method.

CMD ["doppler", "run", "--", "printenv"]
  • Doesn't require understanding the difference between ENTRYPOINT and CMD
  • Good as it works with an existing ENTRYPOINT without requiring changes
  • Easily bypass the Doppler CLI by overriding theCMD at container runtime


ENTRYPOINT ["doppler", "run", "--"]
CMD ["your-command-here"]
  • Good as it ensures any command used to run the container will have Doppler injected environment variables
  • Requires knowledge of ENTRYPOINT vs. CMD
  • Requires integrating into an existing ENTRYPOINT command or script if defined
  • Bypassing the use of the Doppler CLI in your ENTRYPOINT requires either conditional logic to only use Doppler if the DOPPLER_TOKEN environment variable is set, or overriding the ENTRYPOINT when running the container


Need more guidance? Reach out via in-product support or in our Community Portal


Let's see a full example of a Dockerfile using the CMD option.

FROM alpine

# Install the Doppler CLI
RUN (curl -Ls || wget -qO- | sh

# Fetch and view secrets using "printenv". Testing purposes only!
# Replace "printenv" with the command used to start your app, e.g. "npm", "start"
CMD ["doppler", "run", "--", "printenv"]

Because the contents of your Dockerfile has changed, you'll need to re-build it before continuing. If following along with this example, you'll need to build the image:

docker build -t doppler-test .

Now run the container:

# `DOPPLER_TOKEN` (Service Token) provided by CI/CD environment
docker run --rm -it --init -e DOPPLER_TOKEN="$DOPPLER_TOKEN" doppler-test
doppler setup # Select the project and config

# Use local Doppler configuration, passing in CLI token, project, and config
docker run --rm -it --init \
   -e "DOPPLER_TOKEN=$(doppler configure get token --plain)" \
   -e "DOPPLER_PROJECT=$(doppler configure get project --plain)" \
   -e "DOPPLER_CONFIG=$(doppler configure get config --plain)" \

You should see your secrets output amongst the other container environment variables.


Amazing Work!

Your secrets in Doppler are now ready to be used in your Docker containers.

Did this page help you?