GuidesAPISupportStatusCommunitySign Up

Secret Injection with Templates

Some applications require configuration files to run. For example, a database might require a configuration that looks like this:

bind: 127.0.0.1
port: 6379
logfile: log.txt
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp

This file contains several secrets that need to be in a particular format. We can create a generic template and use doppler secrets substitute to inject our values.

bind: {{.HOST}}
port: {{.PORT}}
logfile: {{.LOGFILE}}
access:
  user: {{.ACCESS_USER}}
  password: {{.ACCESS_PASSWORD}}

Now, we can run doppler secrets substitute with our template:

$ doppler secrets substitute
bind: 127.0.0.1
port: 6379
logfile: log.txt
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp

The Doppler CLI uses Go's text/template package to perform the substitution. This engine provides some powerful features, including comments and optional blocks:

{{/* Comments won't be shown in the output. */}}
bind: {{.HOST}}
port: {{.PORT}}
{{/* The `logfile` field will only be shown if the LOGFILE secret is defined */}}
{{with .LOGFILE}}
logfile: {{.}}
{{end}}
access:
  user: {{.ACCESS_USER}}
  password: {{.ACCESS_PASSWORD}}

You can find more documentation for this syntax in the text/template's actions section.

In addition to the standard actions, two additional Doppler-defined functions are available to you:

  • tojson, which serializes the secret string value as JSON. This is particularly useful for turning multiline strings into single-line quoted strings.
  • fromjson, which parses the secret string as JSON.
$ doppler secrets
┌─────────────────────┬──────────────────────────────────────────────────────────────────┐
│ NAME                │ VALUE                                                            │
├─────────────────────┼──────────────────────────────────────────────────────────────────┤
│ ACCESS              │ {"user": "admin", "password": "uRJ5WhRmSZF4dgkk82Kp"}            │
│ PRIVATE_KEY         │ -----BEGIN RSA PRIVATE KEY-----                                  │
│                     │ MIIJJwIBAAKCAgEAww6PISGwwCRj125/5CNQ5kntc/NdjA7EKmNPY1wol/8ZSgrl │
│                     │ H2Egpj7GghDCsJfoJ7gQu3OtYQJ2j1/txGP44tzZh/lraMQblFqc9r9N8xXU3Y6z │
│                     │ ...                                                              │
│                     │ -----END RSA PRIVATE KEY-----                                    │
│                     │                                                                  │
└─────────────────────┴──────────────────────────────────────────────────────────────────┘

$ cat example.txt
private_key: {{tojson .PRIVATE_KEY}}
{{with fromjson .ACCESS}}
access:
  user: {{.user}}
  password: {{.password}}
{{end}}

$ doppler secrets substitute example.txt
private_key: "-----BEGIN RSA PRIVATE KEY-----\r\nMIIJJwIBAAKCAgEAww6PISGwwCRj125/5CNQ5knt..."
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp

You can save the result to a file with doppler secrets substitute example.txt --output or use the output of the command directly.

For example, you could inject secrets into Kubernetes YAML and pass it directly to kubectl:

kubectl apply -f <(doppler secrets substitute example.yaml)

Updated almost 3 years ago