doppler
1
总安装量
1
周安装量
#43957
全站排名
安装命令
npx skills add https://github.com/rube-de/cc-skills --skill doppler
Agent 安装分布
claude-code
1
Skill 文档
Doppler Secrets Management
Comprehensive assistance for the Doppler secrets management platform: CLI operations, project and config management, secrets injection, integration syncs, and security best practices.
Triggers
Use this skill when the user mentions: “doppler”, “secrets management”, “doppler cli”, “doppler secrets”, “doppler run”, “doppler setup”, “doppler configs”, “doppler projects”, “secret injection”, “doppler environments”, “service tokens”.
Quick Start
Install CLI
# macOS
brew install gnupg && brew install dopplerhq/cli/doppler
# Linux (Debian/Ubuntu)
apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg
curl -sLf --retry 3 --tlsv1.2 --proto "=https" \
'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' | \
gpg --dearmor -o /usr/share/keyrings/doppler-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/doppler-archive-keyring.gpg] https://packages.doppler.com/public/cli/deb/debian any-version main" | \
tee /etc/apt/sources.list.d/doppler-cli.list
apt-get update && apt-get install doppler
# Shell script (any OS)
curl -sLf --retry 3 --tlsv1.2 --proto "=https" https://get.doppler.com | sh
Authenticate & Setup
# Login (opens browser for auth)
doppler login
# Setup project in current directory (interactive)
doppler setup
# Non-interactive setup
doppler setup --project my-app --config dev --no-interactive
Common Tasks by Intent
| Developer wants to… | Action |
|---|---|
| List all secrets | doppler secrets -p <project> -c <config> |
| Get a single secret | doppler secrets get SECRET_NAME -p <project> -c <config> |
| Set a secret | doppler secrets set KEY=value -p <project> -c <config> |
| Set multiple secrets | doppler secrets set KEY1=val1 KEY2=val2 |
| Delete a secret | doppler secrets delete SECRET_NAME |
| Run command with secrets | doppler run -- your-command --flags |
| Run with specific config | doppler run -p backend -c dev -- npm start |
| Download secrets as file | doppler secrets download --format env --no-file |
| List projects | doppler projects |
| List configs | doppler configs -p <project> |
| List environments | doppler environments -p <project> |
| Clone a config | doppler configs clone -p <project> -c <source> --name <new> |
| View activity logs | doppler activity |
| Check current setup | doppler configure debug |
| Open dashboard | doppler open |
| View who is authenticated | doppler me |
Secrets Injection Patterns
Environment Variable Injection
# Inject secrets as env vars for any command
doppler run -- node server.js
doppler run -- docker compose up
doppler run -- terraform apply
# Run a shell command string
doppler run --command "echo $DATABASE_URL && npm start"
# Only inject specific secrets
doppler run --only-secrets DATABASE_URL,API_KEY -- node server.js
Mount Secrets to File
# Mount as JSON file (ephemeral, cleaned up after process exits)
doppler run --mount secrets.json -- cat secrets.json
# Mount as .env file
doppler run --mount .env --mount-format env -- your-command
# Mount with template
doppler run --mount config.yaml --mount-template template.yaml -- your-command
Template Substitution
# Substitute secrets into a template file
doppler secrets substitute template.env.tpl > .env
Fallback for Offline/Resilience
# Run with fallback file (writes encrypted secrets on success, reads on failure)
doppler run --fallback ./fallback.encrypted -- npm start
# Read-only fallback (never update the fallback file)
doppler run --fallback ./fallback.encrypted --fallback-readonly -- npm start
# Offline mode (read directly from fallback, no API contact)
doppler run --fallback-only --fallback ./fallback.encrypted -- npm start
Project & Config Hierarchy
Doppler organizes secrets in a hierarchy:
Workplace
âââ Project (e.g. "backend", "frontend")
âââ Environment (e.g. "development", "staging", "production")
âââ Config (e.g. "dev", "stg", "prd")
âââ Branch Config (e.g. "dev_feature-x")
Config Inheritance
- Root configs (dev, stg, prd) inherit from their environment
- Branch configs inherit from their parent config
- Overrides cascade: Environment â Config â Branch Config
- Personal configs allow individual developer overrides without affecting the team
Integration Syncs
Doppler can automatically sync secrets to external platforms:
| Platform | Use Case |
|---|---|
| AWS Secrets Manager / SSM | ECS, Lambda, EC2 deployments |
| GCP Secret Manager | GKE, Cloud Run, Cloud Functions |
| Azure Key Vault | AKS, App Service, Functions |
| Cloudflare Pages / Workers | Edge & Jamstack deployments |
| Vercel | Frontend/fullstack deployments |
| Firebase Functions / Hosting | Functions config & build-time secrets |
| Serverless Framework | Lambda/serverless function secrets |
| GitHub Actions | CI/CD secrets |
| Docker / Docker Compose | Container environment injection |
| Kubernetes | Secret objects via Doppler Operator |
| Terraform | Infrastructure as Code |
| Webapp.io | CI/CD Layerfile secrets |
| Heroku | PaaS deployments |
Service Tokens
For CI/CD and production, use service tokens (read-only, scoped to a single config):
# Generate a service token via dashboard or API
# Use in CI/CD:
DOPPLER_TOKEN=dp.st.xxx doppler run -- your-command
# Or set as environment variable
export DOPPLER_TOKEN=dp.st.xxx
doppler secrets
Security Best Practices
- Never commit secrets to version control â use Doppler as the single source of truth
- Use service tokens in production (read-only, config-scoped)
- Use personal configs for local development overrides
- Enable change requests for production configs (requires approval before changes)
- Rotate secrets regularly â use Doppler’s rotation reminders
- Use OIDC authentication where possible for short-lived tokens
- Audit access via
doppler activityand dashboard audit logs - Use branch configs to isolate feature branch secrets
- Never use
--no-verify-tlsin production
Reference Documents
For deep dives, consult these references:
| Reference | Content |
|---|---|
| CLI.md | Complete CLI command reference with all subcommands and flags |
| INTEGRATIONS.md | CI/CD, Docker, Kubernetes, cloud platform integration patterns |
Troubleshooting
Authentication Issues
- Run
doppler meto check current auth status - Run
doppler configure debugto see active configuration - Re-authenticate with
doppler login - Check scope:
doppler configure get token --scope /path/to/project
Wrong Secrets Loaded
- Check which project/config is active:
doppler configure debug - Verify scope:
doppler setupin the project directory - Use explicit flags:
doppler secrets -p project -c config - Check for environment variable overrides:
doppler run --preserve-env=false
Fallback File Issues
- Ensure fallback path is writable
- Check passphrase hasn’t changed (config-dependent by default)
- Use
doppler run cleanto remove old fallback files - Regenerate with a fresh
doppler run --fallback ./path -- echo ok
Service Token Not Working
- Verify token is for the correct project and config
- Service tokens are read-only â cannot set/delete secrets
- Check token hasn’t been revoked in the dashboard
- Ensure
DOPPLER_TOKENenv var is set correctly
Workflow
When helping with Doppler:
- Identify the task: Setup, secret management, injection, integration, or debugging
- Check prerequisites: Is
dopplerCLI installed? Is user authenticated? - Determine scope: Which project and config are we working with?
- Consult references: Use reference docs for detailed CLI flags and integration patterns
- Security first: Never output secret values in logs; use
--only-namesfor listing