Secret Injection with Templates

Some applications require configuration files to run. For example, a database might require a configuration that looks like this:

bind: 127.0.0.1
port: 6379
logfile: log.txt
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp

This file contains several secrets that need to be in a particular format. We can create a generic template and use doppler secrets substitute to inject our values.

bind: {{.HOST}}
port: {{.PORT}}
logfile: {{.LOGFILE}}
access:
  user: {{.ACCESS_USER}}
  password: {{.ACCESS_PASSWORD}}

Now, we can run doppler secrets substitute with our template:

$ doppler secrets substitute
bind: 127.0.0.1
port: 6379
logfile: log.txt
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp

The Doppler CLI uses Go's text/template package to perform the substitution. This engine provides some powerful features, including comments and optional blocks:

{{/* Comments won't be shown in the output. */}}
bind: {{.HOST}}
port: {{.PORT}}
{{/* The `logfile` field will only be shown if the LOGFILE secret is defined */}}
{{with .LOGFILE}}
logfile: {{.}}
{{end}}
access:
  user: {{.ACCESS_USER}}
  password: {{.ACCESS_PASSWORD}}

You can find more documentation for this syntax in the text/template's actions section.

In addition to the standard actions, two additional Doppler-defined functions are available to you:

  • tojson, which serializes the secret string value as JSON. This is particularly useful for turning multiline strings into single-line quoted strings.
  • fromjson, which parses the secret string as JSON.
$ doppler secrets
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ NAME                β”‚ VALUE                                                            β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ ACCESS              β”‚ {"user": "admin", "password": "uRJ5WhRmSZF4dgkk82Kp"}            β”‚
β”‚ PRIVATE_KEY         β”‚ -----BEGIN RSA PRIVATE KEY-----                                  β”‚
β”‚                     β”‚ MIIJJwIBAAKCAgEAww6PISGwwCRj125/5CNQ5kntc/NdjA7EKmNPY1wol/8ZSgrl β”‚
β”‚                     β”‚ H2Egpj7GghDCsJfoJ7gQu3OtYQJ2j1/txGP44tzZh/lraMQblFqc9r9N8xXU3Y6z β”‚
β”‚                     β”‚ ...                                                              β”‚
β”‚                     β”‚ -----END RSA PRIVATE KEY-----                                    β”‚
β”‚                     β”‚                                                                  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

$ cat example.txt
private_key: {{tojson .PRIVATE_KEY}}
{{with fromjson .ACCESS}}
access:
  user: {{.user}}
  password: {{.password}}
{{end}}

$ doppler secrets substitute example.txt
private_key: "-----BEGIN RSA PRIVATE KEY-----\r\nMIIJJwIBAAKCAgEAww6PISGwwCRj125/5CNQ5knt..."
access:
  user: admin
  password: uRJ5WhRmSZF4dgkk82Kp

You can save the result to a file with doppler secrets substitute example.txt --output or use the output of the command directly.

For example, you could inject secrets into Kubernetes YAML and pass it directly to kubectl:

kubectl apply -f <(doppler secrets substitute example.yaml)

Did this page help you?