How to handle service tokens

Hi all,

What is the best way of storing Doppler service tokens? We don’t have a shared password manager.

Currently we store it in Git, but this isn’t desirable.
I thought of storing them in our hidden Teams channel as Kubernetes secrets manifests, but this is also not a good practice I think.

The last option I could think of is to store it as secrets in Doppler and retrieve it with the CLI, and create a Kubernetes secret that way.

What does the community think?

Hi there!

As you mentioned, using a shared password manager is a pretty common way of tracking service tokens. If you don’t have one of those, then storing your tokens as Doppler secrets that’re fetched via CLI would certainly be an option. The thing to watch out for if you do that is keeping them separate from the project configs. You probably don’t want the secrets getting pulled into a project to contain a service token that could then be used to pull secrets via a different account that’s then spread across any applications pulling secrets for that project. Using a branch config or a separate project might be better to store them in if you go that route.