Pull Request Previews

I’m working on creating pull request previews support for my team. The goal is to create a config branch per pull request preview. This allows developers to customize secrets for just their own pull request preview.

We have a service token that was generated and stored in our CI’s secrets store:

doppler configs tokens create --access "read/write" --config pr_preview --project overwatch --name pr-preview-token --plain

We then try to create a config branch:

doppler configs create --environment pr_preview --name pr_preview_test_v0 --project my-project --token pr-preview-token-value-here

This outputs the following error:

Unable to create config
Doppler Error: You do not have write access.

Is there a way to grant a service token the ability to create configs?

Hi @mattste and welcome to the Doppler community!

Unfortunately not. Service tokens only allow secrets write access to a single config and cannot be used to modify the structure of a project.

A personal token will allow you to do what you’re after but exercise great care as it grants the same level of access as the user account it belongs to.

We are investigating more flexible permission models but for now, a personal token is your best bet for automating the creation of Doppler branch configs.

Circling back here as I revisited this. It’d be ideal to have organization level scoped service tokens. Ideally, the following flow is supported:

  1. Create an org level service token whose only permission is to create projects (ex. pull-request-1000-preview) and generate a service token for the created project
  2. Use the generated service token to create configs for the project, set secrets and generate another service token that is read-only.

@mattste We’re actually working on a feature that will allow you to create custom tokens that have configurable permission sets. These will be workplace-level tokens, so it be almost exactly what you’re looking for here!