Doppler: A Brief Introduction to Secrets Managers

Tiexin Guo
4th Coffee
Published in
13 min readAug 11, 2022


Author’s note:

This blog post walks you through the basic usage and popular integrations of Doppler, and makes a comparison between Doppler and other equivalents. Basic DevOps knowledge is required, for example, Kubernetes, kubectl, helm, minikube, 12-factor app, etc.

1 A Brief History of Secrets

1.1 Secrets in the Software Development Lifecycle (SDLC)

OK, I’ll cut to the chase and get straight to the point:

If you are in the software engineering business, you are gonna have to deal with secrets. I’m not kidding.

  • When you are developing an app, the app itself might need access to a database, so it needs the password. Maybe the app talks to another API that requires authentication, so you need a token, which is a secret.
  • When you launch your virtual machine, you might need to provide an initial password too.
  • In your continuous integration system, you might want to do something in your pipeline to write something to somewhere, but that somewhere is access-controlled. You’d have to provide a secret to make it work. For example, uploading some artifacts to a private S3 bucket.
  • In your continuous deployment system, you might want to operate a virtual machine or a Kubernetes cluster for deployment, both of which require authentication. That’s a secret.

I could go on, but I don’t have to because I’m pretty sure you already have got the point: you don’t have to deal with secrets; you must.

1.2 The History of Secrets Management

Before the emergence of secret managers, there were a few ways to handle secrets (not so gracefully.)

One way is to store it locally, be it an ENV file or what have you. But storing secrets locally has a few drawbacks:

  • If you lose it, you lose it forever.
  • If you share it with others and then change it, it’s hard to…



Tiexin Guo
4th Coffee

ex-AWS Sr. DevOps Consultant, CNCF Ambassador