- You've run applications in Docker and have experience building Docker images.
Accessing your secrets in production or CI/CD environments requires a Service Token to provide read-only access to a specific config. It's exposed to the CLI via the
DOPPLER_TOKEN environment variable which should be provided by your CI/CD environment, e.g. GitHub Secret.
This method installs the Doppler CLI in your Docker image to inject secrets at container runtime.
# Install Doppler CLI RUN apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg && \ curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' | apt-key add - && \ echo "deb https://packages.doppler.com/public/cli/deb/debian any-version main" | tee /etc/apt/sources.list.d/doppler-cli.list && \ apt-get update && \ apt-get -y install doppler
# Install Doppler CLI RUN wget -q -t3 'https://packages.doppler.com/public/cli/rsa.8004D9FF50437357.key' -O /etc/apk/keys/[email protected] && \ echo 'https://packages.doppler.com/public/cli/alpine/any-version/main' | tee -a /etc/apk/repositories && \ apk add doppler
# Install Doppler CLI RUN rpm --import 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' && \ curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/config.rpm.txt' | tee /etc/yum.repos.d/doppler-cli.repo && \ yum update -y && \ yum install -y doppler
# Does not rely on package managers # Option 1: Standard RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh # Option 2: Signature Verification (GnuPG package required) RUN (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh -s -- --verify-signature
Your Dockerfile will then need to use
doppler run in either the
CMD to fetch your secrets at container runtime. As a general rule,
CMD is the easiest way to get started, but we'll explore both options below.
Unless you're an experienced Docker user, we recommend using the
CMD ["doppler", "run", "--", "printenv"]
- Doesn't require understanding the difference between
- Good as it works with an existing
ENTRYPOINTwithout requiring changes
- Easily bypass the Doppler CLI by overriding the
CMDat container runtime
ENTRYPOINT ["doppler", "run", "--"] CMD ["your-command-here"]
- Good as it ensures any command used to run the container will have Doppler injected environment variables
- Requires knowledge of
- Requires integrating into an existing
ENTRYPOINTcommand or script if defined
- Bypassing the use of the Doppler CLI in your
ENTRYPOINTrequires either conditional logic to only use Doppler if the
DOPPLER_TOKENenvironment variable is set, or overriding the
ENTRYPOINTwhen running the container
Need more guidance? Reach out via in-product support or in our Community Portal
Let's see a full example of a Dockerfile using the
FROM alpine # Install the Doppler CLI RUN (curl -Ls https://cli.doppler.com/install.sh || wget -qO- https://cli.doppler.com/install.sh) | sh # Fetch and view secrets using "printenv". Testing purposes only! # Replace "printenv" with the command used to start your app, e.g. "npm", "start" CMD ["doppler", "run", "--", "printenv"]
Because the contents of your
Dockerfile has changed, you'll need to re-build it before continuing. If following along with this example, you'll need to build the image:
docker build -t doppler-test .
Now run the container:
# `DOPPLER_TOKEN` (Service Token) provided by CI/CD environment docker run --rm -it --init -e DOPPLER_TOKEN="$DOPPLER_TOKEN" doppler-test
doppler setup # Select the project and config # Use local Doppler configuration, passing in CLI token, project, and config docker run --rm -it --init \ -e "DOPPLER_TOKEN=$(doppler configure get token --plain)" \ -e "DOPPLER_PROJECT=$(doppler configure get project --plain)" \ -e "DOPPLER_CONFIG=$(doppler configure get config --plain)" \ doppler-test
You should see your secrets output amongst the other container environment variables.
Your secrets in Doppler are now ready to be used in your Docker containers.
Updated 17 days ago