Permissions Error deploying Staging to Docker


I am working closely with another developer on my team to implement Doppler in our Staging and Production environments. We use Docker containers when deploying to Staging and Production. I am hoping to get it working in Staging before attempting to implement it on Production and we have not had any success just yet. We have reviewed the documentation on Doppler + Docker as well as Doppler + Docker Compose. Whenever we try to deploy our application to our staging server though we are met with the following error:

Unable to create config directory /.doppler
Doppler Error: mkdir /.doppler: permission denied

Initially we were running a debian server but my colleague changed it to alpine. Either way the same error is occurring. It seems permissions related and we can’t find anything about that in the documentation.

Does anyone have any experience with this issue or have any suggestions to help us get past it? Any insight is greatly appreciated.


Hi @douglasc0leman!

By default, the Doppler CLI stores its config file at ~/.doppler/.doppler.yaml. In your case, it seems like that location is /.doppler/.doppler.yaml. If that location isn’t writable in your container, then you’ll see this message. You can adjust where it’s stored using the --config-dir parameter and/or adjusting the HOME environment variable before executing the CLI. Could you give that a try and let me know how it goes?


1 Like

My colleague figured it out with your help. But that leads me to one more issue I’m facing and hopeful you may have some inkling as to what might be going on:

We use Oauth2 via Azure to login to our app with Microsoft credentials. That said, I have a client ID secret that differs from Dev to Stg. What’s odd is my colleague has the docker container with my JAR file running but when I hit the Microsoft login, it’s giving me this error:


The client ID in the error that is redacted, happens to be the client ID from my Dev environment secrets (not stg!). I asked my colleague if they are using the Service Token I created for Stg environment and they said yes. So I had them do a “doppler secrets” and it shows all of my Stg secrets (good!). What’s odd is, how is it getting my client ID from the Dev environment if he is using my Service Token for stg? Have you run across a similar issue or have ideas what might cause this?


Where did they run doppler secrets from? I can think of a couple different things that could be going on here.

First, it could be that the container is actually using a service token from your dev config and they ran doppler secrets outside the container where it was hitting the staging environment.

Second, it could be that DOPPLER_TOKEN is getting set in the environment somewhere in an unexpected way such that when your app executes it uses dev secrets, but that token isn’t set when using the CLI.

Third, it could be that the client ID secret is being set outside of Doppler in a way that’s causing it to override what’s being pulled from Doppler.

Double-check with them to make sure they were testing doppler secrets from inside the container. Then also have them run env inside the container to see if any secrets are already set there. Finally, make sure when they’re connecting to the container that they’ve switched to the same user the application is executing as since that could impact what environment variables are being set.

1 Like

So I am thinking it is the 3rd option you suggested. I did a search for my whole project (backend and frontend) for the value of the dev secret client id and found it show up in a cache folder in my Node_Modules as well as in my main..js file in my frontend’s build->static->js directory (screenshot below). I was able to delete my Node_modules folder and do a yarn install and that seemed to clear any of the secrets that were returning in the cached folder however I’m still left with this in my main..js file:

First redaction is the dev secret for client id, second redaction is dev secret for tenant id, and I underline that it is using a redirect URI of localhost:8080 (a dev configuration not a staging one).

Do you think this may be the culprit? And if so do you have any suggestions as to how I make it so these values are not cached or stored incorrectly in my main..js file? This is the only thing I can think of that could be causing this as of now. Still investigating. Thanks for any feedback!

Ok I figured it out and it was an oversight on my behalf. Hopefully if anyone encounters something similar this thread can help.

I needed to go to my frontend directory, do a doppler setup, change environments, did a doppler secrets to make sure everything was right, and then I did my mvn clean install (build process) for the whole JAR file. As you saw in the previous screenshot, if I don’t do that it is still using my DEV secrets from my doppler setup where I selected dev rather than stg. It was building those secrets into my main.js file and doing this order of operations before building is what solved my issue.

It seems pretty straight forward now and I’m surprised I missed that step. Thanks @watsonian for helping me through multiple issues! I really appreciate it