Within CD pipelines, we often need to pull secrets from Doppler using a long lived DOPPLER_TOKEN. This token is long lived and gets stored in a pipeline environment variable. CI/CD vendors are being increasingly targeted with breaches leaking secrets like these. Last year CircleCI had an incident where they advised all their customers to rotate secrets stored in pipeline environment variables. To mitigate breaches of this nature it would be great if Doppler could provide support for generating an ephemeral Doppler token using OIDC. This would mean we would no longer need long long lived credentials in CD pipelines and could generate short lived tokens to retrieve secrets from Doppler where needed.
@RobGodfrey Just wanted to chime back in to let you know that we just shipped OIDC support! You can get more information about this here:
It’s available on the Team and Enterprise plans.
Excellent, thank you for the update. We will take a look.
