Doppler CircleCI Orb

A CircleCI orb to load secrets managed in Doppler into CircleCI projects as environment variables.

---

Prerequisite Steps

1. Create a project in Doppler

Guidance on how to create a Project can be found here.

2. Configure secrets to be used in CircleCI

Add secrets to the ci environment within the Doppler project for all secrets you want to access in CircleCI.

3. Create a Doppler Service Token for use in CircleCI

Within the Doppler project ci environment, select Access and then Generate Service Token. Give your Doppler Service Token a nice descriptive name e.g. {YourCircleCIProjectName}-CircleCI-Token. Stash the generated token as you will need it in the next step.

Guidance on how to create a Doppler Service Token can be found here.

---

CircleCI Usage

1. Configure DOPPLER_TOKEN environment variable

Within CircleCI, configure a new project environment variable named DOPPLER_TOKEN, with the value being the Doppler Service Token stashed previously.

Guidance on how to set up a project environment variable in CircleCI can be found here.

2. Configure the Doppler CircleCI Orb

Add the following to your CircleCI project config file (.circleci/config.yml) to make the doppler-circleci orb available to use:

orbs:
    doppler-circleci: ft-circleci-orbs/doppler-circleci@1.5

3. Install Doppler CLI and load secrets

Within a job configuration use the doppler-circleci commands install and load_secrets as follows:

jobs:
  retrieve-secret-from-doppler-with-orb:
    docker:
      - image: cimg/base:current
    steps:
      - checkout
      - doppler-circleci/install
      - doppler-circleci/load_secrets
      - run:
          name: Use the Doppler secret NPM_TOKEN to configure npm
          command: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc

Secrets defined in the Doppler project ci environment will get configued as environment variables if everything is set up correctly. After load_secrets is executed, secrets will be accesible using the CircleCI environment variables syntax e.g. ${YOUR_DOPPLER_SECRET}.

If you're using an Alpine based Docker image, when loading secrets an extra step is required:

      - run:
          name: Use the Doppler secret NPM_TOKEN to configure npm
          command: source $BASH_ENV && echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc

---

Orb Commands

doppler-circleci/install

Installs the latest version of the doppler CLI. Supports linux (apt-get) and macos (brew) package installers.

doppler-circleci/load_secrets

Loads any doppler secrets from the Doppler project ci environment into environment variables within the CircleCI job.

When using a Doppler service token there is no need to specify a project, since the token is linked to a project already.

---

Additional Resources

There is a Financial Times internal guide on Tech Hub which will walk you through how to get the best out of Doppler.

Please also refer to the Financial Times internal Cyber Security teams guidelines for more information on default Doppler environments.

Troubleshooting

This token does not have access to requested project

In version 1.3 and earlier of this orb, a temporary file ./.circleci/doppplerenv was written to the filesystem containing DOPPLER_PROJECT and DOPPLER_CONFIG settings. In certain circumstances when using CircleCI caching features this file could end up being cached and used unintentionally in different CircleCI jobs using different Doppler tokens, likely causing the error above. To avoid this issue please update the config.yml to use ft-circleci-orbs/doppler-circleci@1.4 or higher.

Acknowledgements

This orb is based on conpagoaus/doppler-orb and adapted for the Financial Times.