Anil's Blog

Composing Doppler Run Commands

Anil Vaitla's photo
Anil Vaitla
·

2 min read

Suppose you're using doppler for credentials management and have a team of three people: Mary, Joe, and Sue.

They all have separate database credentials:

  • Mary's account is mary with password 123
  • Joe's account is joe with password ABC
  • Sue's account is sue with password XYZ

No one should see each others passwords as they are reserved for that person's private access and usage. We can simulate this as three environments (rather than prod, staging, qa), we call them Mary, Joe, and Sue. An administer can set their usernames and passwords in the DB_KEY and DB_USER fields.

Users as environments

Screen Shot 2021-05-08 at 5.56.37 PM.png

We also do access restriction per user as an individual only has access to their own keys.

Screen Shot 2021-05-08 at 6.03.39 PM.png

Now we need to find ways to connect to the database. Mary has access to the qa and prod database, but Joe and Sue only have access to the qa databases.

Solution 1: Create branch configs

Screen Shot 2021-05-08 at 6.12.12 PM.png

Screen Shot 2021-05-08 at 6.13.42 PM.png

The only downside is you'd have a copy of the database dns name in every branched config since they are environment specific NOT user specific. Initially it is manageable but grows in complexity if you have multiple dbs as well (smoke, qa, test, prod, ...)

Solution 2: Create a separate doppler project for the databases themselves and then run doppler by connecting both projects.

Screen Shot 2021-05-08 at 6.16.37 PM.png

Screen Shot 2021-05-08 at 6.15.59 PM.png

Now if we run the following:

$ doppler run -p databases -c qa -- doppler run -p users -c mary -- printenv
DB_KEY=123
DB_USER=mary
DB_HOST=qa.test.com.company_vpn
DB_PORT=3306

To simplify things a bit more you can offer a nice alias:

alias qa-db="doppler run -p users -c mary -- doppler run -p databases -c prd -- mysql -u $DB_USER -p $DB_KEY -h $DB_HOST -P $DB_PORT"

Now all you need to do is run qa-db and you're connected while preserving security of keys in doppler itself.

Maybe this idea of user specific variables (rather than environment specific ones) will become native in doppler someday but for now here are two solutions you can try if you run into a case like this. I hope it will, since doppler is a universal secrets manager and not just any old secrets manager.