doppler-run

Run a command

$ doppler run --command [command]

$ doppler run --command [command1 && command2]

$ doppler run [path/to/command.sh]

$ doppler run -p [project_name] -c [config_name] -- [command]

$ doppler run --watch [command]

doppler-run [options] -- [command] [args...]

--project , -p
    Specifies the Doppler project from which to retrieve secrets.

--config , -c
    Specifies the Doppler configuration (e.g., 'dev', 'stg', 'prd') within the project.

--scope
    Filters secrets to a specific scope within the chosen configuration.

--token
    Authenticates with a Doppler Service Token instead of the logged-in user session. Commonly used in CI/CD environments.

--log-level
    Sets the logging level for Doppler CLI output (e.g., 'info', 'warn', 'error').

--verbose
    Enables verbose logging for more detailed output.

--debug
    Enables debug logging, providing the most detailed output for troubleshooting.

--help, -h
    Displays help information for the doppler-run command.

doppler-run is a command-line utility provided by the Doppler CLI for secure secrets management. It executes a specified command, script, or program, dynamically injecting secrets from the Doppler platform directly into its environment variables. This mechanism prevents sensitive information, such as API keys and database credentials, from being hardcoded or exposed in plain text. When invoked, doppler-run retrieves secrets for the designated project and configuration, sets them as environment variables, and then spawns the target process. This approach significantly enhances security and streamlines secret management across development, staging, and production environments, eliminating the need for manual environment variable setup or complex .env files. It is widely used for running development servers, executing CI/CD pipelines, and other applications requiring secure access to sensitive data.

Requires the Doppler CLI to be installed and configured/authenticated.
Network connectivity to the Doppler service is essential for fetching secrets.
Secrets are exposed as environment variables, which might not be suitable for all applications or security models.
The executed command must be designed to consume configuration via environment variables.
Sensitive information temporarily resides in the environment of the child process.

doppler-run primarily uses the authentication context established by a prior doppler login command. Alternatively, a Doppler Service Token can be provided directly via the --token parameter, which is common in automated environments like CI/CD.

When doppler-run injects secrets, they typically take precedence over any existing environment variables with the same name. This ensures that the application receives the intended, securely managed secrets from Doppler.

While doppler-run fetches secrets from the remote Doppler service, the Doppler CLI can also work with local .doppler files for development. For inspecting what secrets would be injected, the doppler secrets command can be used.

The doppler-run command is a core component of the Doppler secrets management platform. It emerged as a solution to address the challenges of securely providing sensitive data to applications, moving beyond static configuration files or insecure environment variables. Its development is intertwined with the increasing adoption of cloud-native architectures and the need for centralized, auditable, and version-controlled secrets. Since its inception, it has become a fundamental tool for integrating Doppler into various workflows, including local development, continuous integration/continuous deployment (CI/CD) pipelines, and serverless function deployments, ensuring secure and seamless secret injection.

doppler(1), env(1), export(1)