Understanding Fallback files

Hi everyone,

Really enjoying using doppler. It would be great if you could clear a small doubt of mine.

As stated in this link,

Every time you run doppler run – ./your-command-here the command-line tool will automatically create a snapshot of your latest secrets and store it in an encrypted file. Then when we are unable to connect to the API, like if you are doing local development on a plane, the Doppler CLI will smartly fallback to this snapshot. The snapshot lives outside of your working directory in a dedicated folder managed by Doppler to ensure it is never committed to your git history.

So basically any service running on Doppler would download the fallback file as a backup, right?
But the below screenshot is confusing me a little bit-

Why we need to download a fallback file specifically for Dockerfiles, shouldn’t doppler automatically download the fallback file in case of docker as well, as stated in the first link? Why do i need to write -

RUN doppler secrets download doppler.encrypted.json
ENTRYPOINT ["doppler", "run", "--fallback=doppler.encrypted.json", "--"]

and not just

ENTRYPOINT ["doppler", "run", "--"]

Shouldn’t the second command work as well if the doppler API is down; since it downloads the fallback file once doppler run is passed?

Hi @ anmay and welcome to the Doppler community!

Sorry for the confusion here and I’ll definitely revise our docs to make this easier to understand in the future.

In reference to this code:

RUN doppler secrets download doppler.encrypted.json
ENTRYPOINT ["doppler", "run", "--fallback=doppler.encrypted.json", "--"]

It’s done in this way to make it clear in the Dockerfile that we’re intentionally creating a secrets fallback file but really, any command that causes secrets to be fetched from Doppler will also create the fallback file.

To illustrate, you could replace the above two lines with the following:

RUN doppler run -- echo "creating fallback file"
ENTRYPOINT ["doppler", "run", "--"]

The end result is exactly the same, but in this case, we’re letting the CLI save the fallback file to its default location.

Does that clear things up?

Ah alright, so with the first command

RUN doppler secrets download doppler.encrypted.json
ENTRYPOINT ["doppler", "run", "--fallback=doppler.encrypted.json", "--"]

I can basically customize the location where I need to store the fallback file, right?

I can basically customize the location where I need to store the fallback file, right?

Yes, exactly. That’s the primary benefit of that approach.

There’s one other benefit, which is that Docker containers are generally ephemeral. This means that any changes made to the image won’t persist for the next run. So a fallback file will be generated when calling doppler run, but it’ll be erased before your next container invocation (i.e. the next doppler run). By saving the fallback file during the build phase, you’re ensuring that it’ll be persisted in the image.