I am trying to setup our Dockerfiles to have a single run command as follows:
doppler run -p project-name -c qa -- printenv
The above command works great ^
However, I don’t want to hardcode qa or prod and would prefer to do something like this (so we can have a generic command and the container runner passes in DOPPLER_TOKEN and ENV):
ENV=qa doppler run -p project-name -c $ENV -- printenv
However this is throwing an error:
Unable to fetch secrets from the Doppler API
Doppler Error: Please provide a valid config.
Reading secrets from fallback file
Reading secrets from fallback file
Doppler Error: The fallback file does not exist
Am I just setting up the command incorrectly or is there something deeper going wrong?
Sorry for the confusion @avaitla16.
When embedding the Doppler CLI , you’ll want to set the DOPPLER_TOKEN environment variable when running the container which automatically sets the project and config.
For QA and Prod, you would simply create a service token for each in the Doppler dashboard, save them as individual secrets in your CD tool of choice (e.g. GitHub Actions), then access them as part of your deployment job/script.
Presuming you have a Dockerfile using the CMD form (see docs for more info):
FROM alpine
RUN (curl -Ls https://cli.doppler.com/install.sh || wget -qO- https://cli.doppler.com/install.sh) | sh
CMD ["doppler", "run", "--", "printenv"]
Deploying the QA container:
docker run -d -e DOPPLER_TOKEN=${{ secrets.DOPPLER_TOKEN_QA }} your/image
Deploying the QA container:
docker run -d -e DOPPLER_TOKEN=${{ secrets.DOPPLER_TOKEN_PRD }} your/image
What could we have done better in our documentation to prevent this confusion?
I suspected this was the case. I was just puzzled why when I ran locally with just DOPPLER_TOKEN it wouldn’t work (even when I did doppler logout locally). I think it gets confused with your local project - but why not just work if you have the token I wonder and override all else?
Unable to fetch secrets from the Doppler API
Doppler Error: This token does not have access to requested project '...'
Reading secrets from fallback file
Reading secrets from fallback file
Unable to decrypt fallback file
Doppler Error: cipher: message authentication failed
I wanted to make a single command that will work locally and also work in the docker run command (but I guess it is ok if running locally is different than remotely).
Yeah, things can get confusing when using DOPPLER_TOKEN in your local development environment.
If wanting to simulate QA and Prod locally (using your CLI token), you can still achieve this, you just also need to pass the DOPPLER_PROJECT and DOPPLER_CONFIG environment variables to the container.
You can do this by either running doppler setup prior to running a container, then run the container:
docker run --rm -it --init \
-e DOPPLER_TOKEN="$(doppler configure get token --plain)" \
-e DOPPLER_PROJECT="$(doppler configure get project --plain)" \
-e DOPPLER_CONFIG="$(doppler configure get config --plain)" \
your/image
Or (although this is not ideal), you could hard-code the project and config in the docker run command:
docker run --rm -it --init \
-e DOPPLER_TOKEN="$(doppler configure get token --plain)" \
-e DOPPLER_PROJECT="my-project" \
-e DOPPLER_CONFIG="qa" \
your/image
