We are here to help you get from zero to one fast.

Get Started    Discussions


reading time 3 mins

This guide is designed to get you set up with deploying your secrets to a serverless stack. We assume you are already using the open-source Serverless framework to deploy your code.


YAML Modifications

Secrets in the Serverless framework can be fetched from multiple sources. For integrating with Doppler we want to fetch them from the environment. You will need to change your serverless.yaml file to do so.

provider: aws

    name: hello
    handler: handler.hello_world
      PORT: ${env:PORT}
      AWS_S3_BUCKET: ${env:AWS_S3_BUCKET}

You can find more information on fetching secrets from Serverless's documentation.


Now that you are fetching secrets from the environment, we will need to change your deploy script to use the Doppler CLI. The Doppler CLI will first be called to fetch your secrets and then the serverless deploy command will be called with the secrets injected into the environment.

doppler run -- serverless deploy


Now let's test your newly deployed code by invoking the serverless function.

serverless invoke --function hello

Continuous Integration

Congrats on getting deployments working with Doppler, next let's automate it with continuous integration! We have a prebuilt Docker image with Doppler and Node.js installed for this use case.

# Node base image
FROM node:lts-alpine

# Install Wget
RUN apk add --no-cache wget 

# Install Doppler
RUN wget -qO- | sh

# Pass in a service token at build time

# Copy over dependency files
COPY package.json .

# Install dependencies
RUN npm i -g serverless && npm i

# Copy the rest of the code
COPY . .

# Deploy serverless app
RUN ["doppler", "run", "--", "serverless", "deploy"]


Amazing Work!

Now that you have local development running, let’s set up authentication for staging and production with Service Tokens.

Updated 19 days ago


reading time 3 mins

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.