I started using Doppler today and I added several secrets to prd and run the sever, they work well.
After that, I added 4 new secrets and they are not being passed to the container (the first group of secrets are being passed, the last 4 added secret are not being passed).
When I run:
doppler run -- sudo docker-compose up -d
I get:
WARNING: The NAME_OF_SECRET_ONE variable is not set. Defaulting to a blank string.
WARNING: The NAME_OF_SECRET_TWO variable is not set. Defaulting to a blank string.
WARNING: The NAME_OF_SECRET_THREE variable is not set. Defaulting to a blank string.
WARNING: The NAME_OF_SECRET_FOUR variable is not set. Defaulting to a blank string.
The weird thing is that if I run doppler secrets I can see the secrets in the server’s console but they are not passed anyway.
I already checked for typos and event tried to set the de secret from the console and the issue persists.
What you’re running into here is that you need to explicitly mention the new variables you want to pass to your containers in your docker-compose.yml file as mentioned here when you’re executing docker-compose as the doppler run command like that. An alternate option is to bake the Doppler CLI into your container images and then just pass through the appropriate DOPPLER_TOKEN to each container. The image would then execute its process using doppler run internally with the access token you pass in. This method is also discussed at the previously linked page!
This is the fun part, the new variables are mentioned in the docker-compose.yaml file (and I already checked the spelling). In fact, the reason to get the message:
WARNING: The NAME_OF_SECRET_ONE variable is not set. Defaulting to a blank string.
Is because NAME_OF_SECRET_ONE is mentioned in the compose file but is not being passed.
I’m not a fan of that solution because I have several images in my compose file and don’t want to share secrets between them. IMO, each image should only be aware of their own secrets.
EDIT:
O, I saw in the article how to have multiple service with the images solution. Anyway, I still prefer the other solution as that solution wouldn’t alter my current workflow and keeps images lighter. I can change it if there is not alternative but that would be weird. My current setups is supposed to work, I guess.
@someguy Are you able to paste in your docker-compose.yml (redacting anything sensitive)? Also, could you run doppler secrets --only-names and paste that here as well (feel free to redact any sensitive names or secrets that aren’t relevant to the issue at hand).
The Doppler cli is creating an environment in which it injects all the values as environment variables but is then told to sudo the command to be executed and sudo by default creates a new environment to operate in based on the root account. Depending on your environment the following command may work
doppler run – sudo -E docker-compose up -d
Here is the quote from the man page on a Ubuntu system:
-E, --preserve-env
Indicates to the security policy that the user wishes to preserve their existing environment variables. The security policy may return an error if the user does not have permission to preserve the environment.
