Writing Google Application Credentials in Forge

I’m trying to write an GCP app credentials JSON file on a Laravel Forge provisioned server.

This is what’s in my Forge deployment script (pretty much the first example in the CLI docs)…

doppler secrets get GOOGLE_SERVICE_ACCOUNT --plain > ./google-service-account.json

I’m trying to set the token using a Recipe, which is a separate script which runs across the servers, but it doesn’t appear to be available to the Doppler CLI during the deploy process.

export HISTIGNORE='doppler*'
echo 'dp.st.stg.xxx' | doppler configure set token --scope /home/forge/xxx.xxx.xxx

I’ve tried changing the scope to none, root and deploy directory. All have the same result: the first command fails with “Doppler Error: you must provide a token”.

How can I provide the service token to the doppler CLI?

Hi @Christopher_Skene!

Welcome to the Doppler Community!

Usually you pass the access token in to the Doppler CLI via the DOPPLER_TOKEN environment variable. From what I can tell, Forge doesn’t seem to have any kind of system for managing environment variables. Its recipe system looks like it just executes a script on servers via SSH for you. As such, there are a couple ways you could go about this:

  1. Export the DOPPLER_TOKEN in the .bashrc file for the root or forge (or whichever) user the Recipe is executing as. This will cause the Doppler CLI to use that token for any doppler commands that get executed. This is probably the easiest option to maintain longer term, but still isn’t great since the token is living on-disk. Unfortunately, in this situation there isn’t a whole lot you can do about that.
  2. Set the token with doppler configure set token=dp.st.std.xxx.... --scope /home/forge. It looks like Recipes execute from the user’s home directory, so that should work fine.

If you only have one project/config you’re accessing on the server, then using the first method is probably the easiest. If you have multiple projects on the same server, then the second option is probably the best.

Ideally, Forge would have a feature that would let you set secrets for the Recipe that are decrypted and set as environment variables for the script when it runs. I recommend contacting them to see if they have any plans for that.

Hope this helps!