Doppler SecretOps & How I Stopped Using .env files

For the last month or so I've been using this amazing product called Doppler, you can sign up for free using https://doppler.com/join?invite=524473B9 and get a free $100 credit if you decide to use any paid features.

Doppler is a SecretOps platform and makes managing your secrets and variables for your applications so much easier, especially for promoting from dev/local to staging and eventually into Prod while maintaining the same keys but different values in all stages and ensuring no vars are ever left behind.

The beauty for me and why I like Doppler so much is the ability to just be able to run their doppler run – in front of any of your typical things like python, docker, etc and it will inject your env vars for you, so long gone are the days of needing a .env file or even having to export any vars locally.

So lets get into an example of how this all works.  We are going to use the https://github.com/DevOps-With-Brian/doppler-blog-demo repo as a test which connects to the NASA API and needs an API key which you can ask for at the same link.  This is a perfect example of how we can use Doppler.

Setting Up A Secret In Doppler

So upon signing up to Doppler you will be presented with a screen similiar to below.  You won't see any projects yet so lets click the + icon and make a new one for our demo.

So upon clicking the + we are going to see something like so, you can fill this in with whatever you like:

Now lets click create project and get our dev location setup with our NASA API key.

From here you can see we have Development, Staging, Production and we can put different secret values in each, we are going to start in dev and I'll show how it can auto bring over the initial keys and ask for you to update them with new values.

So lets click on dev and add our NASA API key:

Just click on the Add First secret and we should be presented with a screen like below:

As you can see we have now added our NASA_API_KEY and we have vale of ABCEDEFHIJKLMNOP so this would need to be whatever your key is that NASA sends you.  Now we can hit save and then use the cool doppler CLI tool to inject this secret for us into our code on runtime.

So you can see as we go to save, if we wanted to also copy this same key/value to Staging or Prod we could do that here.

Now you can use the Doppler CLI docs to install it and then we can run doppler login to generate a key, then you can do doppler setup like you see below and from the repo where our code resides we can run doppler setup which will then give us the menu to select which project and environment we want to use for our secrets.

So here we are picking our nasa_apod_demo project that we setup earlier, then its going to ask us which environment we are going to want to use so we will select dev

Now doppler knows when we run our doppler run command to inject which secrets to inject, so the cool part here is you can just update them in the UI and add new ones and then re-run the doppler run with your typical command and it will inject them.

So our project is python so we can basically now do the same thing, so lets setup our python project.

Setting Up Python Demo Project

So as mentioned before you can clone Our Demo and follow the instructions below.

After cloning the repo down we need to setup our python virtual environment:

1. We need to run python -m venv .venv this will create a virtual env in the .venv location for us.

2.   Next we can source this and activate it before installing our requirements using source .venv/bin/activate if running on linux for example.

3.   Now we need to install our requirements via pip install -r requirements.txt

4.  We are finally ready to run our code, now normally you would just run python apod.py but since we are using doppler we want to do doppler run -- python apod.py and this will tell doppler to inject our env var for us.

So if everything was done correctly you should get a print statement simliar to this, it obviously changes every day:

Sure, here is a link to the Astronomy Picture of the Day, today's picture is of: A Multiple Green Flash Sunset and you can see it at https://apod.nasa.gov/apod/

Deploying To Production/Other Methods

So the beauty of Doppler also is now you can generate new values for the keys in Production then deploy this out and ensure you aren't missing any env vars that you had working locally since  they are all in doppler and syncing.

If you for example wanted to deploy to Kubernetes you could use their Secrets Operator and based on the diagram below it can keep a kubernetes secret location updated with the values from the Doppler UI:

You can find more information about the Kubernetes Integration as well as others at https://docs.doppler.com/docs/integrations.  They offer integrations for a lot of the major platforms like Docker, GitHub Actions, Jenkins, AWS, GCP, Azure, etc.

You can also come watch some of my Twitch VOD's or me Live and see me using Doppler and integrating it with things like React, Python, ArgoCD, GitHub Actions, and so forth.  You can find me on Twitch at https://twitch.tv/devopswithbrian