.env files to manage application config and secrets is a step forward from hard-coding secrets, but there are also security risks and issues relating to the synchronization and manual management of
.env files across different environments. This tutorial introduces Doppler, a solution to secret management and synchronization.
In this article, we have a Django application that has its secrets defined in a
.env file. We will look at how we can move those secrets from the traditional
.env file to Doppler.
Managing secrets and configs in Doppler keeps them in sync across different environments. You only have to define your secrets once and Doppler acts as a central source of truth for your secrets, saving you the stress of having to re-define them in every environment or share them to team members, probably over unsecured channels.
Doppler has a CLI that provides easy access to secrets in every environment from local development to production and a single dashboard makes it easy for teams to centrally manage app configuration for any application, platform, and cloud provider.
- Security of App configs and Secrets.
- Boosts Productivity by not having to manually manage
.envfiles across different environments and cloud providers.
- Keeps all secrets in sync across devices, environments, and team members.
These are just some of the reasons why we should adopt the use of Doppler in our Projects.
In this section we will demonstrate how we can use Doppler to manage secrets in Django. Here, we have a blog app that has its secrets defined in a
.env file, we will be moving those secrets over to Doppler.
Here is the file structure of the root folder of our Django app.
+--blog +--images +--proj_blog +--.env +--.gitignore +--manage.py +--requirements.txt
Our main interest here is the
.env file which contains all the secrets of the app. The
.env file looks something like this:
SECRET_KEY = ajdflkmdjoiejmoaidjfamlamlddga2353 SENDGRID_KEY = supersecretkey DATABASE_NAME = postgresdatabase DATABASE_USER = tammibriggs DATABASE_PASS = supersecretpassword
To start using Doppler, the first step is to create an account. After doing that, we will be prompted to create a workplace. Give the workspace a preferred name and then click on the Create Workplace button.
A project in Doppler is where app configs and secrets are defined. Doppler comes with a default project called example-project but we can create another by clicking on the plus(+) button.
Click on the plus(+) button and create a new project. In my case, I named my project blog_project but you can give yours any other name.
Once we have created the project, Doppler will provide us with three environments which are:
We can use these environments to manage our secrets for the three different stages of our app.
There are different commands used to install the CLI based on the operating system. I’m using windows but you can look at Doppler’s installation guide to help out with installation on other operating systems.
# Add Doppler's scoop repo scoop bucket add doppler https://github.com/DopplerHQ/scoop-doppler.git # Install latest doppler cli scoop install doppler
If you run into any problems, this article will be of help.
After running the command, we can check if the installation was successful by running:
Now, we need a way for our local machine to authenticate with Doppler. We can do that with this command:
We will be asked to open a browser window, where we will authenticate with our email, then an auth token to log in will appear in our terminal which we can use to authenticate Doppler.
Next, we will be asked to name our token. After doing that if we check our terminal, we can see we have received a welcome message.
It is time that we moved our secrets defined in the
.env over to Doppler.
Head over to the blog_project we created earlier on Doppler and click on dev.
We have been provided with two options on how we can add our secrets. We are going to use the second which is import Secrets because when using it all we have to do is to copy and paste our secrets rather than manually writing our secrets if we use Add First Secret.
After we have copied and pasted our secrets, click on the Import Secrets button, to import our secrets.
Click on the Save button at the top right of the page to save the imported keys.
Now, in our terminal let's run the setup command to configure Doppler
We choose the project we are working on which is blog_project and select the environment, in this case, the dev environment.
We can now run our Django app, but instead of the regular way which is
python manage.py runserver, we will use:
doppler run -- python manage.py runserver
What this command does is it fetches the latest secrets that we stored in Doppler and injects them as environmental variables. Now we can delete the
.env file from our project and everything will still work perfectly.
Doppler is a better way of managing secrets than using
.env files. This article introduced us to the solution Doppler provides to secret synchronization and security. We have also demonstrated how we can start using Doppler in Django.
The solution Doppler provides is amazing, it's high time we say Goodbye to