Cross-Project Service Tokens

I did have a look around for other requests, but didn’t see this elsewhere.

It would be handy to be able to have cross-project service tokens where a single service token could read secrets from multiple projects.

We have several Kubernetes clusters, each hosting dozens of projects, and managing service tokens across those clusters/projects will be a pain, even if we automate it with terraform. It would be much more convenient to have a single ephemeral token per cluster (scoped to the appropriate Doppler projects) with access to multiple projects which we can renew as required that works across projects.

I think this would only be appropriate in our situation because we are looking to use the Doppler Operator (or something custom) to delegate the retrieval of secrets on behalf of each application. Using this token directly in each application would be bad.

Hi @Nick_Jackson,

This is actually something we’re already working on! We’re going to be introducing the concept of “Custom Tokens” in addition to our other token types. Those tokens will be customizable (surprise, surprise) when it comes to what they can access. You’ll be able to create a token that has access to multiple projects and configs under those projects. Two of the primary use cases for this are k8s clusters like you mentioned and also CI/CD environments. I’m afraid I don’t have an exact date for when this feature will be released, but we’re aiming for the end of this fiscal year.

In the mean time, one possibility for you would be to create a “service account” (i.e., just a normal Doppler account that isn’t used by a person and is only used for automation). You can then scope that user’s permissions down via Custom Roles and use their Personal Token to perform any actions you need. We don’t recommend this pattern without the use of Custom Roles because otherwise the Personal Token will have too much access (i.e., write access along with any other permissions the user has). Custom Roles is an Enterprise feature though. We do have a billing plan we’re working on that’s a step between Team and Enterprise that allows you to get a single Enterprise feature for an upcharge per user – that may make this an option for you. If you’re interested in that, please contact us through and I can put you in touch with our Sales team.

Waiting for Custom Tokens is also an option though!


:slight_smile: Good to hear.

I had an inkling when I noticed the change to the K8S CRD to pass in the project/config.