Fly.io

Learn how to use Doppler with your Fly.io hosted applications.

This guide will show you how to securely manage secrets for Fly.io hosted applications by injecting environment variables directly into your application using the Doppler CLI.

Prerequisites

  • Have an existing application hosted with Fly.io
  • The Fly.io CLI installed and configured
  • The Doppler CLI is installed
  • doppler setup has been run for your application

Import Variables

If you're wanting to use Doppler with an existing application and have environment variables or secrets already configured in Fly.io, then you'll want to move those over to Doppler before proceeding any further. Fly.io has both secrets and environment variables and you'll want to move both of those over to Doppler.

Environment Variables

Environment variables will be found in your fly.toml file in a section that looks something like this:

[env]
  LOG_LEVEL = "debug"
  RAILS_ENV = "production"
  S3_BUCKET = "my-app-production"

Copy the variables defined there and save them to a doppler-import.env file and then edit the contents so that they're in this format:

LOG_LEVEL=debug
RAILS_ENV=production
S3_BUCKET=my-app-production

After saving those changes, run the following command:

doppler secrets upload doppler-import.env

Secrets

Secrets are encrypted by Fly.io and they don't provide a method of viewing their values after they're set outside of your deployed application environment. You can view a list of the secret names you have set by running:

flyctl secrets list

If you don't have these values stored elsewhere, you may need to have your application write them to somewhere secure where you can access them.

Once you have those values, you can create the secrets in Doppler via the dashboard.

Service Token

To access your Doppler secrets inside your Fly.io application deployment, you'll need to set a DOPPLER_TOKEN secret for your application. This should be set to the value of a Service Token you've created for the Doppler config you want to be pulling secrets from.

Once you have a Service Token created, you can set this as a secret in Fly.io by running the following command:

flyctl secrets set DOPPLER_TOKEN=dp.st.prd.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

This will ensure your Doppler service token is made available to your deployed Fly.io application so the Doppler CLI can fetch your secrets.

Deployments

Fly.io supports a couple of different build types that are used during a deployment. You can use Heroku-style buildpacks or deploy using Docker images. The default is to build a Docker image using the Dockerfile specified in your project. This is also the method Doppler recommends and will be the focus of this guide.

Dockerfile

The default deployment method if nothing is specified in your fly.toml file is to look for a Dockerfile in the root of your application's directory. If one exists, it will use that to build an image to deploy your application with. As such, the quickest way to get this working is to update your Dockerfile to include the Doppler CLI and then modify the command that executes your application to use doppler run.

You can get detailed instructions on how to do that in our Dockerfile documentation.

Prebuilt Docker Image

You can specify a pre-existing Docker image to use for your deployment in your fly.toml file as described here. This method will be faster than the Dockerfile method described above because Fly.io will simply pull your pre-built image rather than build it from scratch. If you're using this method, then you'll need to update your Dockerfile to include the Doppler CLI and then modify the command that executes your application to use doppler run.

You can get detailed instructions on how to do that in our Dockerfile documentation.

Buildpack

There is currently no official Doppler buildpack that can be used. Using one of the above Docker-based deployment methods instead is recommended.


Did this page help you?