I am reading and writing some Doppler secrets from terraform. Locally this works just awesome because I can just setup my Doppler access token and thats it. Now the terraform module is applied in the pipeline too and here comes the problem: how do I give the pipeline access to Doppler? I’d love to avoid using my personal access token.
As things stand right now, you either need to create a separate service token that’s used for each service that you test in your CI/CD environment and map them accordingly or you have to use a Personal token (which would have access to all Doppler projects your user has access to). We generally recommend against the latter option due to the fact that personal tokens inherit the write permissions your user account has as well, but having to maintain a separate token for each service can become a bit of a management headache.
We’re currently working on a new feature that will let you create custom tokens that can have permission to access multiple configs you specify. This would address your CI/CD scenario exactly. Unfortunately, I don’t have an exact date for when this feature will be released, but we expect it to be out later this year. In the mean time, I’m afraid the options I mentioned above are the only ones available for now!
thanks, I appreciate your answer.
That is indeed a real shortcoming of doppler and I am really looking forward to the multi-environment/config access token’s.
To give you more context to why this is really needed IMHO:
If you deploy any sort of app on one of the major cloud providers using terraform you may obtain secrets such as connection strings via terraform too. I’m writing those secrets automatically through terraform to doppler. This way devs may obtain them locally for dev purposes (ex.: dev service bus connection strings). Terraform runs in a CI/CD pipeline and thus needs access to doppler.