Managing Secrets with Doppler in Django
Summary
Using .env
files to manage application config and secrets is a step forward from hard-coding secrets, but there are also security risks and issues relating to the synchronization and manual management of .env
files across different environments. This tutorial introduces Doppler, a solution to secret management and synchronization.
Goals
In this article, we have a Django application that has its secrets defined in a .env
file. We will look at how we can move those secrets from the traditional .env
file to Doppler.
Doppler — a universal secrets manager
Managing secrets and configs in Doppler keeps them in sync across different environments. You only have to define your secrets once and Doppler acts as a central source of truth for your secrets, saving you the stress of having to re-define them in every environment or share them to team members, probably over unsecured channels.
Doppler has a CLI that provides easy access to secrets in every environment from local development to production and a single dashboard makes it easy for teams to centrally manage app configuration for any application, platform, and cloud provider.
Why use Doppler?
- Security of App configs and Secrets.
- Boosts Productivity by not having to manually manage
.env
files across different environments and cloud providers. - Keeps all secrets in sync across devices, environments, and team members.
These are just some of the reasons why we should adopt the use of Doppler in our Projects.
Using Doppler in a Django app
In this section we will demonstrate how we can use Doppler to manage secrets in Django. Here, we have a blog app that has its secrets defined in a .env
file, we will be moving those secrets over to Doppler.
App Structure
Here is the file structure of the root folder of our Django app.
+--blog
+--images
+--proj_blog
+--.env
+--.gitignore
+--manage.py
+--requirements.txt
Our main interest here is the .env
file which contains all the secrets of the app. The .env
file looks something like this:
SECRET_KEY = ajdflkmdjoiejmoaidjfamlamlddga2353
SENDGRID_KEY = supersecretkey
DATABASE_NAME = postgresdatabase
DATABASE_USER = tammibriggs
DATABASE_PASS = supersecretpassword
Getting started with Doppler
To start using Doppler, the first step is to create an account. After doing that, we will be prompted to create a workplace. Give the workspace a preferred name and then click on the Create Workplace button.
Creating a project
A project in Doppler is where app configs and secrets are defined. Doppler comes with a default project called example-project but we can create another by clicking on the plus(+) button.
Click on the + button and create a new project. In my case, I named my project blog_project but you can give yours any other name.
Once we have created the project, Doppler will provide us with three environments which are:
- Development
- Staging
- Production
We can use these environments to manage our secrets for the three different stages of our app.
Installing Doppler CLI
There are different commands used to install the CLI based on the operating system. I’m using windows but you can look at Doppler’s installation guide to help out with installation on other operating systems.
# Add Doppler's scoop repo
scoop bucket add doppler github.com/DopplerHQ/scoop-doppler.git
# Install latest doppler cli
scoop install doppler
If you run into any problems, this article will be of help. After running the command, we can check if the installation was successful by running:
doppler --version
Now, we need a way for our local machine to authenticate with Doppler. We can do that with this command:
doppler login
We will be asked to open a browser window, where we will authenticate with our email, then an auth token to log in will appear in our terminal which we can use to authenticate Doppler.
Next, we will be asked to name our token. After doing that if we check our terminal, we can see we have received a welcome message.
Managing secrets with Doppler
It is time that we moved our secrets defined in the .env
over to Doppler.
Head over to the blog_project we created earlier on Doppler and click on dev.
We have been provided with two options on how we can add our secrets. We are going to use the second which is import Secrets because when using it all we have to do is to copy and paste our secrets rather than manually writing our secrets if we use Add First Secret.
After we have copied and pasted our secrets, click on the Import Secrets button, to import our secrets.
Click on the Save button at the top right of the page to save the imported keys. Now, in our terminal let's run the setup command to configure Doppler
doppler setup
We choose the project we are working on which is blog_project and select the environment, in this case, the dev environment.
We can now run our Django app, but instead of the regular way which is python manage.py runserver
, we will use:
doppler run -- python manage.py runserver
What this command does is it fetches the latest secrets that we stored in Doppler and injects them as environmental variables. Now we can delete the .env
file from our project and everything will still work perfectly.
Conclusion
Doppler is a better way of managing secrets than using .env
files. This article introduced us to the solution Doppler provides to secret synchronization and security. We have also demonstrated how we can start using Doppler in Django.
The solution Doppler provides is amazing, it's high time we say Goodbye to .env
files.