Hey, community. Thinking about automating my company’s Doppler service token rotation.
Is there any de facto standard or go-to solution?
To be sure we’re on the same page, I aim to auto-rotate the service token that grants access to our Doppler config, not auto-rotate a secret hosted in Doppler.
Thanks for your help.
@jjrdn Could you describe your use case in a bit more detail? Depending upon what you’re doing, then using OIDC might be a solid option so you don’t even have to worry about rotating tokens. This does require being on the Team or Enterprise plan though.
Hey, Joel. Thanks for your reply.
I’m afraid we need something more long-lived since we use Doppler to load our app config at runtime on AWS ECS. Something like.
doppler run -- node index.js
I hope that makes sense.
Well, unless you’re using the --watch flag (also requires a Team or Enterprise plan), then the CLI will just make an API request at start time to fetch secrets and then inject them into the environment of your application. It doesn’t need a token that lives longer than that initial fetch time. Since whenever the app restarts it would perform a new doppler run invocation, it would have a fresh credential to make that request. So, really, you don’t need long-lived credentials for that.
