Read secret from file in Docker Compose

Hello, My apologies as I am still learning doppler and docker compose. Is it possible to read doppler secret from a file, possibly fallback file or doppler secrets download? In my docker-compose.yml when using ${Var} it’s grabbing from doppler and works, however I can see the password when looking at the ENV. I would like to keep it out of it. When testing with Docker Swarm the option for secrets is available and can read from /run/secrets, however I will not be using Docker Swarm. I tried dropping the secret file in the directory, but it did not work. Any advise would be greatly appreciated.

Hi @RayBishopTN!

You might want to take a look at the --mount flag for the doppler run command. Essentially what it does is create a named pipe on the filesystem that acts similar to a file. When something tries reading the pipe, it sends a request to Doppler, fetches the secrets, and sends through for the read. This has the benefit of meaning your secrets are never actually stored on disk. You can also limit the number of reads that can be performed before the pipe is removed. Here’s an example of how it works:

doppler run -p PROJECT -c CONFIG --mount .env --format env -- your-application-executable-here

Keep in mind that you’d need to execute this from inside your containers though since there’s only a single mount file per doppler run. The downside to this is that some applications don’t like named pipes (as an example, I believe python’s dotenv library doesn’t play nice with it), but most applications should work fine with it. Additionally, this will mean every time your container starts it’ll need to make a request to Doppler.

Another option here would be to use our encrypted secret fallback files. You could create one and include it in your Docker image build process as described here and then run your app inside the container using doppler run with the --fallback and --fallback-only flags.

Will either of those work for you?


Hello @watsonian, sorry for the late response. I have been trying to wrap my head around this. I have tried both options and still struggling. When using the command to mount, I can cat the .env file and it returns the Doppler config, environment, project, and along with my secret. The issue is I am not sure how to translate into my docker-compose file. if I use ${WEBPASSWORD} I get the following message.
WARNING: The WEBPASSWORD variable is not set. Defaulting to a blank string.
ERROR: /dockerFS/piHole/.env is not a file.
Debug: Deleting secrets mount /dockerFS/piHole/.env
Doppler Error: exit status 1

I tried using the encrypted secret fallback file and I can download the secret and use both fallback commands and it somewhat works. By somewhat works I mean that it will set the password to what the base64 string is. I can cat the .json file and use the info it returns. Should I not be able to see the secret vs the base64? I am using the token I downloaded the secret with.

Sorry for all the questions and I am sure this is my lack of knowledge and still learning. I appercaite the help.

Hi @RayBishopTN!

For both of those solutions, you’ll need to add the Doppler CLI to your docker images and then update the command being run to execute using either doppler run --mount or doppler run --fallback <path> --fallback-only. With regard to the --mount option, the error you’re seeing seems like it might be the dotenv library you’re using being picky about the file itself:

ERROR: /dockerFS/piHole/.env is not a file.

Technically, it really isn’t a file – it’s a named pipe. We’ve seen some libraries be very picky about that and refuse to use them even though they work in an identical fashion. That could be what’s going on here assuming the file is available at runtime and your app is printing that message.

With regard to the fallback file – it will always have encrypted contents. If you run using doppler run --fallback <file> --fallback-only -- <your-app-command>, then it’ll decrypt the JSON file at runtime and inject the secrets into the environment of the app it’s starting. So, your app should be seeing the secrets in it’s environment if you’re doing that.


Hello, @watsonian, thank you again for taking the time to help. The dotenv library may be picky or I’m still doing something wrong. Currently, I’m going to focus on the fallback option. I am trying to understand it more. So for example, if I run the command “doppler run --fallback file.json --fallback-only – – cat file.json” should I be able to see the content in the .json file, or will I see only the encrypted string?


Give this a shot. First, run this:

doppler secrets download -p PROJECT_NAME -c CONFIG_NAME

That will create a doppler.json file encrypted using the Doppler service token you’re using (in the above case, it would be your CLI token). Only the same token can be used to decrypt it later. If you need another token to be able to, then you can use the --passphrase flag like this:

doppler secrets download --passphrase YOUR_PASSPHRASE_HERE -p PROJECT_NAME -c CONFIG_NAME

You can also set the passphrase in the environment by setting DOPPLER_PASSPHRASE.

Now, to use this fallback file, you would run this command:

doppler run -p PROJECT_NAME -c CONFIG_NAME --fallback doppler.json --fallback-only -- printenv

That will print out the current environment, which should include the decrypted secrets from the fallback file. The process doesn’t decrypt the file on-disk. It decrypts it in-memory and then injects the decrypted environment variables into the process it’s starting.

Let me know if you have any other questions about that!