Pull Request Previews

mattste · August 3, 2022, 12:43am

I’m working on creating pull request previews support for my team. The goal is to create a config branch per pull request preview. This allows developers to customize secrets for just their own pull request preview.

We have a service token that was generated and stored in our CI’s secrets store:

doppler configs tokens create --access "read/write" --config pr_preview --project overwatch --name pr-preview-token --plain

We then try to create a config branch:

doppler configs create --environment pr_preview --name pr_preview_test_v0 --project my-project --token pr-preview-token-value-here

This outputs the following error:

Unable to create config
Doppler Error: You do not have write access.

Is there a way to grant a service token the ability to create configs?

ryan-blunden · August 3, 2022, 12:53am

Hi @mattste and welcome to the Doppler community!

Unfortunately not. Service tokens only allow secrets write access to a single config and cannot be used to modify the structure of a project.

A personal token will allow you to do what you’re after but exercise great care as it grants the same level of access as the user account it belongs to.

We are investigating more flexible permission models but for now, a personal token is your best bet for automating the creation of Doppler branch configs.

mattste · October 26, 2022, 10:46pm

Circling back here as I revisited this. It’d be ideal to have organization level scoped service tokens. Ideally, the following flow is supported:

Create an org level service token whose only permission is to create projects (ex. pull-request-1000-preview) and generate a service token for the created project
Use the generated service token to create configs for the project, set secrets and generate another service token that is read-only.

watsonian · November 7, 2022, 3:56pm

@mattste We’re actually working on a feature that will allow you to create custom tokens that have configurable permission sets. These will be workplace-level tokens, so it be almost exactly what you’re looking for here!

jcprz · July 27, 2023, 3:21pm

I know my question doesn’t fall into the same category (access-related) than the original one, but I’m trying to integrate Doppler (DSO) on k8s and I templated the DopplerSecret manifests with helm for deploying my apps. The thing is that for a Pull Request Preview env I don’t see the ability of having branching configs set up there. I need to branch from say my root develop config and create this ephemeral environment based on this one (le’ts call it develop_preview-pr-15) and have this environment to interact with this ephemeral branched config which can be deleted easily as well using the CLI. Should I create a separate discussion for this? just let me know. Thank you!

watsonian · July 27, 2023, 3:33pm

@jcprz Probably this should be a separate post, but I can reply here. What you’re looking for will need some outside automation, but should be achievable using a Service Account with appropriate permissions set. It would need to have Admin permissions on the project to be able to create and delete branch configs. Outside of that, you’d need to generate and apply a DopplerSecret in k8s for your preview app to use.

If you describe what you’re doing in more detail, I can see if I can give you any additional pointers.

Topic		Replies	Views
Cross-Project Service Tokens Feature Requests	2	792	September 15, 2022
K8S - Service token management Discussions	1	571	December 22, 2022
Access to doppler secrets in CI/CD pipeline Need Help	2	688	July 3, 2022
Token Change Proposal Feature Requests	2	390	September 2, 2023
Monorepo access token setup tedious Feature Requests	16	2879	August 27, 2024

Pull Request Previews

Related topics