Sign in
Log inSign up

Managing Secrets with Doppler in Django

Taminoturoko Briggs's photo
Taminoturoko Briggs
·Oct 2, 2021·

5 min read

Summary

Using .env files to manage application config and secrets is a step forward from hard-coding secrets, but there are also security risks and issues relating to the synchronization and manual management of .env files across different environments. This tutorial introduces Doppler, a solution to secret management and synchronization.

Goals

In this article, we have a Django application that has its secrets defined in a .env file. We will look at how we can move those secrets from the traditional .env file to Doppler.

Doppler — a universal secrets manager

Managing secrets and configs in Doppler keeps them in sync across different environments. You only have to define your secrets once and Doppler acts as a central source of truth for your secrets, saving you the stress of having to re-define them in every environment or share them to team members, probably over unsecured channels.

Doppler has a CLI that provides easy access to secrets in every environment from local development to production and a single dashboard makes it easy for teams to centrally manage app configuration for any application, platform, and cloud provider.

Why use Doppler?

  • Security of App configs and Secrets.
  • Boosts Productivity by not having to manually manage .env files across different environments and cloud providers.
  • Keeps all secrets in sync across devices, environments, and team members.

These are just some of the reasons why we should adopt the use of Doppler in our Projects.

Using Doppler in a Django app

In this section we will demonstrate how we can use Doppler to manage secrets in Django. Here, we have a blog app that has its secrets defined in a .env file, we will be moving those secrets over to Doppler.

App Structure

Here is the file structure of the root folder of our Django app.

+--blog
+--images
+--proj_blog
+--.env
+--.gitignore
+--manage.py
+--requirements.txt

Our main interest here is the .env file which contains all the secrets of the app. The .env file looks something like this:

SECRET_KEY = ajdflkmdjoiejmoaidjfamlamlddga2353
SENDGRID_KEY = supersecretkey
DATABASE_NAME = postgresdatabase
DATABASE_USER = tammibriggs
DATABASE_PASS = supersecretpassword

Getting started with Doppler

To start using Doppler, the first step is to create an account. After doing that, we will be prompted to create a workplace. Give the workspace a preferred name and then click on the Create Workplace button.

name your workplace

Creating a project

A project in Doppler is where app configs and secrets are defined. Doppler comes with a default project called example-project but we can create another by clicking on the plus(+) button.

projects

Click on the + button and create a new project. In my case, I named my project blog_project but you can give yours any other name.

create a project

Once we have created the project, Doppler will provide us with three environments which are:

  • Development
  • Staging
  • Production

We can use these environments to manage our secrets for the three different stages of our app.

environments

Installing Doppler CLI

There are different commands used to install the CLI based on the operating system. I’m using windows but you can look at Doppler’s installation guide to help out with installation on other operating systems.

# Add Doppler's scoop repo
scoop bucket add doppler github.com/DopplerHQ/scoop-doppler.git

# Install latest doppler cli
scoop install doppler

If you run into any problems, this article will be of help. After running the command, we can check if the installation was successful by running:

doppler --version

Now, we need a way for our local machine to authenticate with Doppler. We can do that with this command:

doppler login

We will be asked to open a browser window, where we will authenticate with our email, then an auth token to log in will appear in our terminal which we can use to authenticate Doppler.

command line authentication

Next, we will be asked to name our token. After doing that if we check our terminal, we can see we have received a welcome message.

Managing secrets with Doppler

It is time that we moved our secrets defined in the .env over to Doppler. Head over to the blog_project we created earlier on Doppler and click on dev.

dev environment

We have been provided with two options on how we can add our secrets. We are going to use the second which is import Secrets because when using it all we have to do is to copy and paste our secrets rather than manually writing our secrets if we use Add First Secret.

import secrets

After we have copied and pasted our secrets, click on the Import Secrets button, to import our secrets.

dev environement

Click on the Save button at the top right of the page to save the imported keys. Now, in our terminal let's run the setup command to configure Doppler

doppler setup

We choose the project we are working on which is blog_project and select the environment, in this case, the dev environment. We can now run our Django app, but instead of the regular way which is python manage.py runserver, we will use:

doppler run -- python manage.py runserver

What this command does is it fetches the latest secrets that we stored in Doppler and injects them as environmental variables. Now we can delete the .env file from our project and everything will still work perfectly.

Conclusion

Doppler is a better way of managing secrets than using .env files. This article introduced us to the solution Doppler provides to secret synchronization and security. We have also demonstrated how we can start using Doppler in Django. The solution Doppler provides is amazing, it's high time we say Goodbye to .env files.