|
| 1 | +--- |
| 2 | +title: "Announcing Doppler Providers for Pulumi ESC: Dynamic Login and Dynamic Secrets" |
| 3 | +date: 2025-06-26 |
| 4 | +allow_long_title: true |
| 5 | +meta_desc: "Pulumi ESC adds Doppler providers for dynamic OIDC login and centralized secret fetching, enhancing security and simplifying management." |
| 6 | +## TODO get image |
| 7 | +# meta_image: meta.png |
| 8 | +authors: |
| 9 | + - robert-harris |
| 10 | +tags: |
| 11 | + - esc |
| 12 | + - secrets |
| 13 | + - doppler |
| 14 | + - features |
| 15 | + - configuration-management |
| 16 | + - dynamic-secrets |
| 17 | + - oidc |
| 18 | +--- |
| 19 | + |
| 20 | +We are excited to announce enhanced integration support for [Doppler](https://doppler.com/) within [Pulumi ESC](/product/esc)! Pulumi ESC centralizes secrets and configuration management, providing a unified source of truth across your environments. With the addition of Doppler, a popular secrets management platform, ESC further extends its ecosystem, enabling seamless and secure access to secrets stored across diverse systems. |
| 21 | + |
| 22 | +<!--more--> |
| 23 | + |
| 24 | +This release introduces two distinct dynamic providers for Doppler, each designed to improve security and streamline your workflows: |
| 25 | + |
| 26 | +* **[`doppler-login`](/docs/esc/integrations/dynamic-login-credentials/doppler-login/) (Dynamic Login):** This provider securely generates short-lived OIDC access tokens for authenticating *to* Doppler. Static, long-lived credentials are a significant security risk. The `doppler-login` provider directly addresses this by generating temporary, just-in-time credentials using OIDC. **Use this provider when you need temporary credentials to interact directly with Doppler**, for instance, using the Doppler CLI or SDKs in local development or CI/CD pipelines, without storing long-lived static tokens. ESC manages the OIDC flow, providing a fresh token when needed. |
| 27 | + |
| 28 | +* **[`doppler-secrets`](/docs/esc/integrations/dynamic-secrets/doppler-secrets/) (Dynamic Secrets):** This provider dynamically fetches secrets stored *within* your Doppler configs and makes them available within the Pulumi ESC environment. **Use this provider when you need specific secrets *from* Doppler to configure your applications or infrastructure managed via ESC.** This centralizes secret consumption, allowing you to access Doppler secrets using the same consistent ESC patterns used for AWS, Azure, GCP, Infisical, Vault, 1Password, and more. |
| 29 | + |
| 30 | +Pulumi ESC acts as a robust **secrets broker** provider consistent API interface for all your tools, applications and workflows. It securely handles *both* the generation of temporary authentication credentials (like with `doppler-login`) and the fetching of application secrets (like with `doppler-secrets`) from various providers such as Doppler, cloud platforms ([AWS](/docs/esc/integrations/dynamic-secrets/aws-secrets/), [Azure](/docs/esc/integrations/dynamic-secrets/azure-secrets/), [GCP](/docs/esc/integrations/dynamic-secrets/gcp-secrets/)), and other secret managers ([Infisical](/docs/esc/integrations/dynamic-secrets/infisical-secrets/), [Vault](/docs/esc/integrations/dynamic-secrets/vault-secrets/), [1Password](/docs/esc/integrations/dynamic-secrets/1password-secrets/)). Once centralized in ESC, these secrets and configurations are consistently available for you to consume via ESC's many developer friendly methods including the [ESC SDK](/docs/esc/development/languages-sdks/), [ESC CLI](/docs/esc/cli/), [Kubernetes External Secrets Operator](/docs/esc/integrations/kubernetes/external-secrets-operator/), [CSI Driver](/docs/esc/integrations/kubernetes/secret-store-csi-driver/), or sync them to various platforms where they are needed such as [GitHub Secrets](https://github.com/pulumi/esc-examples/tree/main/sync/github-secrets), [AWS Secrets Manager](https://github.com/pulumi/esc-examples/tree/main/sync/aws-secrets-manager), and more! |
| 31 | + |
| 32 | +## Getting Started: Using the Doppler Providers |
| 33 | + |
| 34 | +Let's walk through how to configure and use each provider. |
| 35 | + |
| 36 | +### Prerequisites |
| 37 | + |
| 38 | +Your Doppler workplace must be on the Team or Enterprise plan in order to use OIDC (via service account identities). |
| 39 | + |
| 40 | +Configure Doppler for OpenID Connect(OIDC) before you try out the providers. Follow the steps in [Doppler OIDC documentation](/docs/esc/environments/configuring-oidc/doppler/). This involves creating a Service Account Identity in Doppler, with OIDC authentication pointing to `https://api.pulumi.com/oidc`, and configuring the audience and subject claims. Note down the **Identity ID**. |
| 41 | + |
| 42 | +### How to Use the doppler-login Provider (Dynamic Authentication) |
| 43 | + |
| 44 | +1. Create a Pulumi ESC environment (e.g., `pulumi-org/doppler-auth/oidc-login`) with the following environment definition and update the `identityId`. |
| 45 | + |
| 46 | +```yaml |
| 47 | +# Environment: pulumi-org/doppler-auth/oidc-login |
| 48 | +values: |
| 49 | + doppler: |
| 50 | + # Configure the Dynamic Login provider using OIDC |
| 51 | + login: |
| 52 | + fn::open::doppler-login: |
| 53 | + oidc: |
| 54 | + identityId: <your-identity-id> # Replace with your Doppler Identity ID |
| 55 | + |
| 56 | + # Expose the token as an environment variable for easy consumption |
| 57 | + environmentVariables: |
| 58 | + DOPPLER_TOKEN: ${doppler.login.accessToken} |
| 59 | +``` |
| 60 | +
|
| 61 | +2. Save the environment. |
| 62 | +3. Validate the environment by clicking on Open in the Pulumi Cloud console, or running `esc open pulumi-org/doppler-auth/oidc-login` in your CLI. The output will include the `doppler.login.accessToken`. |
| 63 | +4. Usage Example: Run Doppler CLI commands dynamically: |
| 64 | +```bash |
| 65 | +esc run pulumi-org/doppler-auth/oidc-login -- doppler secrets download --no-file --format=json --project=<your-project-id> --config=<your-config-id> |
| 66 | +# The DOPPLER_TOKEN env var is automatically injected |
| 67 | +``` |
| 68 | + |
| 69 | +### How to Use the doppler-secrets Provider (Dynamically Fetching Secrets) |
| 70 | + |
| 71 | +Use this provider to pull secrets *from* Doppler *into* your ESC environment for consumption by your applications, CI/CD systems, Pulumi IaC, Terraform and more! |
| 72 | + |
| 73 | +1. Create an ESC environment where you need the secrets (e.g., `pulumi-org/my-app/dev`). |
| 74 | +2. **Import** the dynamic login environment (if using OIDC for authentication, which is recommended). This makes the temporary Doppler token available. |
| 75 | +3. Configure the `doppler-secrets` provider, referencing the imported login details. See example below. |
| 76 | +4. Specify the secrets to fetch using the `get` block. Replace placeholders. |
| 77 | + |
| 78 | +```yaml |
| 79 | +# Environment: pulumi-org/my-app/dev |
| 80 | +imports: |
| 81 | + # Import the environment performing Dynamic Login (recommended) |
| 82 | + - pulumi-org/doppler-auth/oidc-login # Use the path to your login environment |
| 83 | +
|
| 84 | +values: |
| 85 | + # Define a structure to hold secrets fetched from Doppler |
| 86 | + dopplerSecrets: |
| 87 | + fn::open::doppler-secrets: |
| 88 | + # Authenticate using the token from the imported Dynamic Login environment |
| 89 | + login: ${doppler.login} # Pass the login object from the import |
| 90 | + # Specify the Doppler project and config to retrieve secrets from |
| 91 | + project: example-project |
| 92 | + config: dev |
| 93 | + # Specify secrets to retrieve from Doppler |
| 94 | + get: |
| 95 | + # Define names for the secrets as they will appear in ESC's output under 'dopplerSecrets' |
| 96 | + apiKey: # This is the name within ESC |
| 97 | + name: API_KEY # The name of the secret in Doppler |
| 98 | + appSecret: # Pull another secret into ESC |
| 99 | + name: APP_SECRET |
| 100 | + |
| 101 | + # Optionally, map fetched secrets to environment variables for application consumption |
| 102 | + environmentVariables: |
| 103 | + API_KEY: ${dopplerSecrets.apiKey} |
| 104 | + APP_SECRET: ${dopplerSecrets.appSecret} |
| 105 | +``` |
| 106 | +5. Save the environment. |
| 107 | +6. Validate the environment by clicking on Open in the Pulumi Cloud console, or running `esc open pulumi-org/my-app/dev` in your CLI. The output will show the imported `doppler.login`, the fetched secrets under `dopplerSecrets`, and the mapped `environmentVariables`. |
| 108 | +7. **Usage Example:** Run an application that needs these secrets: |
| 109 | + ```bash |
| 110 | + esc run pulumi-org/my-app/dev -- node app.js |
| 111 | + # The API_KEY and APP_SECRET env vars are automatically injected |
| 112 | + ``` |
| 113 | + |
| 114 | +## Conclusion |
| 115 | + |
| 116 | +The new `doppler-login` and `doppler-secrets` providers for Pulumi ESC offer powerful and secure ways to interact with Doppler. Use `doppler-login` for dynamic, short-lived OIDC authentication when interacting directly with Doppler APIs or CLIs. Use `doppler-secrets` to securely fetch secrets *from* Doppler *into* your centralized ESC environment. Together, they enhance your security posture and simplify configuration management. |
| 117 | + |
| 118 | +We encourage you to explore these new capabilities. Dive into the [doppler-login](/docs/esc/integrations/dynamic-login-credentials/doppler-login/), [doppler-secrets](/docs/esc/integrations/dynamic-secrets/doppler-secrets/) for detailed configuration options, check out the broader [Pulumi ESC Documentation](/docs/esc/), and share your feedback or ask questions in the [Pulumi Community Slack](https://slack.pulumi.com/). |
0 commit comments