How to sync secrets from Doppler to Postman

Our team uses Postman when interacting with a large number of services, primarily through REST and GraphQl endpoints.

Would it be possible to create an integration to sync secrets from Doppler to Postman?

Or does anyone know a way of doing this today - somehow?

Hi @alexbjorlig,

A full fledged integration with Postman is something we’d like to make for sure – it’s on our list! In the mean time, you can automate this to some extent using a combination of the Postman API, the Doppler CLI, and our secret injection templates.

Here’s a quick example showing how you can do this via a Bash script.

First, create a new file named postman.tmpl with the following contents:

{
    "environment": {
        "name": "{{.DOPPLER_PROJECT}}-{{.DOPPLER_CONFIG}} (Doppler)",
        "values": [
            {{- $first := true -}}
            {{range $k, $v := .}}
            {{- if not $first }},{{else}}{{ $first = false}}{{end}}
            {
                "key": {{tojson $k}},
                "value": {{tojson $v}},
                "type": "secret"
            }{{end}}
        ]
    }
}

Now create a new file named postman.sh with the below contents and make it executable (chmod +x postman.sh). This script assumes you have a Doppler project named postman with a secret named POSTMAN_API_KEY set in the dev config, that you’re running it on a machine with a CLI token (i.e., you logged in via doppler login), and that you have jq installed. You’ll need to update the following variables with correct values for your environment:

  • SOURCE_DOPPLER_PROJECT
  • SOURCE_DOPPLER_CONFIG
  • POSTMAN_WORKSPACE_ID
#!/usr/bin/env bash

SOURCE_DOPPLER_PROJECT="YOUR_PROJECT_NAME_HERE"
SOURCE_DOPPLER_CONFIG="YOUR_CONFIG_NAME_HERE"
POSTMAN_ENVIRONMENT_NAME="${SOURCE_DOPPLER_PROJECT}-${SOURCE_DOPPLER_CONFIG} (Doppler)"

POSTMAN_API_KEY="$(doppler secrets get -p postman -c dev POSTMAN_API_KEY --plain)"

# curl -X GET \
#   -H "Content-Type: application/json" \
#   -H "X-API-KEY: $POSTMAN_API_KEY" \
#   "https://api.getpostman.com/workspaces"
POSTMAN_WORKSPACE_ID="YOUR_POSTMAN_WORKPLACE_ID"

environments_json="$(curl -s -X GET -H "Content-Type: application/json" -H "X-API-Key: $POSTMAN_API_KEY" "https://api.getpostman.com/environments")"

# Check if Environment exists in Postman already
env_uid=$(echo "$environments_json" | jq --arg env_name "$POSTMAN_ENVIRONMENT_NAME" -r '.environments[] | select(.name == $env_name) | .uid')

if [ -n "$env_uid" ]; then
  # update with new secrets
  echo "Updating existing Environment with Doppler secrets..."

  curl -s -g -X PUT \
    -H "Content-Type: application/json" \
    -H "X-API-KEY: $POSTMAN_API_KEY" \
    "https://api.getpostman.com/environments/$env_uid" \
    --data-raw "$(doppler secrets substitute -p $SOURCE_DOPPLER_PROJECT -c $SOURCE_DOPPLER_CONFIG postman.tmpl)" | jq
else
  # create environment
  echo "Creating new Environment..."

  curl -s -g -X POST \
    -H "Content-Type: application/json" \
    -H "X-API-KEY: $POSTMAN_API_KEY" \
    "https://api.getpostman.com/environments?workspace=$POSTMAN_WORKSPACE_ID" \
    --data-raw "$(doppler secrets substitute -p $SOURCE_DOPPLER_PROJECT -c $SOURCE_DOPPLER_CONFIG postman.tmpl)" | jq
fi

This will either create a new Postman environment named $DOPPLERPROJECT-$DOPPLERCONFIG (Doppler) populated with all the secrets for that config from Doppler or update an existing one.

One caveat worth noting is that if someone modifies the current value of one of the secrets in Postman, it doesn’t appear as though that will get updated properly after that. As such, this is mostly good for an initial sync from what I can tell. As such, it might be better to delete + recreate an Environment to ensure a full sync.

Hopefully, the above is helpful for you! We’ll look at getting this moved into some documentation for reference until we have a proper integration in place!

Let me know if you have any questions!

Regards,
-Joel

This is looking very promising!

When building the official integration there should probably be an option to choose an override/merge strategy.

I might try to convert the bash script you provided to js - my preferred language :sweat_smile: But I think I get the idea behind the script :pray:

Hi @alexbjorlig,

If using JS, our gitops-secrets package makes fetching secrets super simple:

// The DOPPLER_TOKEN environment variable must be set
import { providers } from 'gitops-secrets';
const secrets = await providers.doppler.fetch();