Installation

reading time 4 mins

In this guide, you'll learn how to install the Doppler CLI for all environments, from local development through to production.

Walkthrough

Installation

The Doppler CLI provides access to your secrets in every environment, from local development, CI/CD, staging, and production. It is a lightweight binary available for every almost operating system and package manager, including Docker.

brew install dopplerhq/cli/doppler
# Add Doppler's scoop repo
scoop bucket add doppler https://github.com/DopplerHQ/scoop-doppler.git

# Install latest doppler cli
scoop install doppler
# Does not rely on package managers
# Recommended for ephemeral environments (e.g. CI jobs)
# Supports Linux, BSD, and macOS

# Option 1: Standard
(curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh

# Option 2: Signature Verification (GnuPG package required)
(curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh -s -- --verify-signature
# Add Doppler's RSA key
wget -q -t3 'https://packages.doppler.com/public/cli/rsa.8004D9FF50437357.key' -O /etc/apk/keys/[email protected]

# Add Doppler's apk repo
echo 'https://packages.doppler.com/public/cli/alpine/any-version/main' | tee -a /etc/apk/repositories

# Install latest Doppler CLI
apk add doppler
# Install pre-reqs
sudo apt-get update && sudo apt-get install -y apt-transport-https ca-certificates curl gnupg

# Add Doppler's GPG key
curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' | sudo apt-key add -

# Add Doppler's apt repo
echo "deb https://packages.doppler.com/public/cli/deb/debian any-version main" | sudo tee /etc/apt/sources.list.d/doppler-cli.list

# Fetch and install latest doppler cli
sudo apt-get update && sudo apt-get install doppler
# Add Doppler's GPG key
sudo rpm --import 'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key'

# Add Doppler's yum repo
curl -sLf --retry 3 --tlsv1.2 --proto "=https" 'https://packages.doppler.com/public/cli/config.rpm.txt' | sudo tee /etc/yum.repos.d/doppler-cli.repo

# Update packages and install latest doppler cli
sudo yum update && sudo yum install doppler

Now, verify the Doppler CLI was installed by checking its version.

doppler --version

You can also upgrade the CLI to the latest version at any time.

doppler update

Local Development

Authentication

In order for the Doppler CLI to access secrets for your projects, it needs an access token. For local development, we use the doppler login command which will open a browser window and ask you to authenticate.

doppler login

This only needs to happen once per workplace. If you have multiple workplaces, you can scope each login to a separate directory.

Project Setup

Now that the CLI is installed, let's configure it for use with a project in your development environment.

In Doppler, access to a project's secrets is scoped to a specific directory in your file system. This allows you to fetch secrets for multiple projects on a single machine.

πŸ“˜

Have you created a project?

If you or your team has yet to create a project, learn how in our Create a Project guide, as you'll need a project for the upcoming steps.

For each project, the setup command must be run, usually at the repository root level.

# Change to your project's directory
cd ./your/project/directory

# Select project and config
doppler setup

You can optionally pre-configure the Doppler project and config to use for local development by creating a doppler.yaml file, either in the root of the repository, or in each app folder if using a monorepo. You can specify just the project, or the project and config, but we recommend setting both to make setup as easy as possible. Here's an example:

setup:
  project: rocket
  config: dev

Now you'll get an enhanced experience when running doppler setup:

Usage

Fetch the latest versions of your secrets for your project and selected config using the run command, injecting them as environment variables into the running process from your command or script.

doppler run -- your-command-here
doppler run --command="./configure && ./process-jobs; ./cleanup"

Because Doppler injects secrets as environment variables, it works for any language, framework, platform, and cloud provider.

const secret = process.env["SECRET_NAME"]
secret = os.getenv("SECRET_NAME")
secret = ENV["SECRET_NAME"]
secret := os.Getenv("SECRET_NAME")
String secret = System.getenv().get("SECRET_NAME")
$secret = $_ENV["SECRET_NAME"]
secret = env::var("SECRET_NAME")
var secret: String = System.getenv("SECRET_NAME")
def secret = System.getenv("SECRET_NAME")
char const* secret = getenv("SECRET_NAME");

To run one-off commands using a secret in Doppler, please make sure to escape the secret or use single quotes. You will need to do this to guard against shell parsing the variable before the run command executes.

doppler run --command="echo \$SECRET_NAME"
doppler run --command='echo $SECRET_NAME'
echo $(doppler secrets get SECRET_NAME --plain)

Remove .env File Usage

Now that Doppler is injecting secrets as environment variables, it's best to remove all application code relying on .env files as well as .env files that may still exist locally.

This instantly improves security by removing the storage of unencrypted secrets from your file system and avoids potential confusion as to what the source of truth is for the loading of environment variables.

πŸ“˜

Setup Production

Now that you have local development running, let’s set up authentication for staging and production with Service Tokens or connecting an integration.


Did this page help you?