Hi Everyone,
Just started to use Doppler and I have made a poc of the Doppler CLI in Dockerfile and looks quite nice, especially the doppler secrets inside the pods! Nice work guys! 
However, I need to implement this for all my micro services per environment and if I have 20 microservices I will need to have 20 service accounts which means 20 k8s secrets as far as i understood from the poc! Is there an easier way like having one master service account per env that authenticate all the other service accounts? Maybe the Secret Operator does that?
Can you please tell me what’s the best practice in here?
Thanks in advance for the help 
Hi @Niedman!
Welcome to the Doppler Community!
We actually are in the process of releasing something just for this – Service Accounts! It’s currently available upon request in a beta form until it goes full GA. Essentially, you create a service account (which is tied to the workplace), assign its permissions, and then add it to whatever projects+configs you like as if it were a user. You can then generate tokens for the SA that will have access to all of those projects+configs with the configured permissions.
Send us an email at support@doppler.com and mention which workplace you want this enabled on and I’ll get it turned on for you!
Regards,
-Joel
Edit: I wanted to add that the Service Accounts feature will only be available for Team and Enterprise workplaces.
1 Like
Hi @watsonian,
Thanks a lot for the quick reply!
I will send and email and give it a try
Have a great day,
_Niedman
Service Accounts are now generally available! All workplaces on either the Team or Enterprise plans will have access to them automatically now!
Hi @watsonian ! 
This is great! However I was wondering if it could be possible to achieve something like this :
- I have 20 micro-services and each one have a corresponding Doppler project
- I have three environments (
dev, stg, prd)
- I want to be able to add only one service account token (in a k8s secret) per environment, for convenience
- I want to be able to create a
DopplerSecret per micro-service to provide them their secrets
- I want to be able to filter what project I want to sync in the
DopplerSecret object, so only those secrets will be synced with the corresponding micro-service
Here’s an example of the DopplerSecret configuration I’m thinking about :
apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
name: doppler-token
namespace: doppler-operator-system
spec:
tokenSecret:
name: doppler-service-account-dev-token
namespace: doppler-operator-system
project: micro-service-a
managedSecret:
name: micro-service-a
namespace: micro-service-a
This way any new project will automatically be available through the service account token, and I’ll only have to create the corresponding DopplerSecret object to start syncing its secrets.
Does this make sense to you?
Let me know if you want further details,
Cheers! 
Hi @Grraahaam!
What you’re describing is already possible! You can create a service account with access to all projects and environments that you want, or you can create one service account for each environment (e.g., dev, stg, prd). Once you have that, you can create a single k8s secret containing the token for each of those service accounts and then use that secret in each of your DopplerSecret objects, which already support specifying a project and config like this:
apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
name: dopplersecret-test
namespace: doppler-operator-system
spec:
tokenSecret:
name: doppler-token-secret
project: your-project-name-here
config: your-config-name-here
managedSecret:
name: doppler-test-secret
So, similar to your example, but the project and config entries are one level up.
-Joel
1 Like
