LinuxCommandLibrary

doppler-run

Run a command with secrets from Doppler

TLDR

Run a command

$ doppler run --command [command]
copy

Run multiple commands
$ doppler run --command [command1 && command2]
copy

Run a script
$ doppler run [path/to/command.sh]
copy

Run command with specified project and config
$ doppler run -p [project_name] -c [config_name] -- [command]
copy

Automatically restart process when secrets change
$ doppler run --watch [command]
copy

SYNOPSIS

doppler run [OPTIONS] [--] [<COMMAND> [<ARGS>...]]

PARAMETERS

-p, --project <PROJECT>
    Specify the Doppler project name.

-c, --config <CONFIG>
    Specify the config name (default: dev).

-t, --token <TOKEN>
    Use specific auth token (overrides $DOPPLER_TOKEN).

--plain
    Print secrets as KEY=VAL to stdout instead of env vars.

--json
    Print secrets as JSON to stdout.

--list-secrets
    List secrets instead of running command.

--local
    Use local .doppler directory, not remote.

--no-proxy
    Bypass Doppler proxy service.

--proxy <URL>
    Custom proxy URL.

--allow-empty
    Allow running with empty configs.

--switch
    Save as default config for future runs.

-v, --verbose
    Enable verbose logging.

DESCRIPTION

doppler run is a subcommand of the Doppler CLI that securely injects secrets and configuration values from a Doppler workspace into the environment variables of a specified shell command or script.

It fetches secrets from the designated project and config, mapping them directly to their intended environment variable names (e.g., API_KEY becomes $API_KEY). This eliminates the need to hardcode sensitive data in scripts, making it ideal for local development, testing, CI/CD pipelines, and production deployments.

By default, it uses the "dev" config unless specified otherwise. Authentication occurs via DOPPLER_TOKEN environment variable or flags. Secrets are retrieved over HTTPS, with optional proxy bypass and local caching support.

Instead of running a command, it can output secrets as plain KEY=VALUE pairs, JSON, or list them for inspection. Verbose mode aids debugging. The command ensures secrets are unset after execution to minimize exposure.

This tool streamlines secret management across environments, supporting dynamic config switching and token-based access control.

CAVEATS

Secrets appear in process lists (ps, /proc/<pid>/environ); use --plain or --json for safer inspection. Requires internet or local cache; install Doppler CLI first. Not for interactive shells.

EXAMPLE

doppler run -- npm start
doppler run --plain npm config set // outputs secrets
doppler run -p myproj -c prod -- docker build .

INSTALLATION

curl -sLf https://cli.doppler.com/install.sh | sh
Requires Go 1.16+ or binaries for Linux/macOS/Windows.

HISTORY

Introduced in Doppler CLI v0.1.0 (2020) as core feature for secret injection. Evolved with proxy support (v1.0+), local mode (v2.0+), and JSON output (v3.0+). Actively maintained by Doppler.

SEE ALSO

env(1), printenv(1), export(1)

Copied to clipboard