[FEATURE] doppler run --secret-names

[icepuma]

Is your feature request related to a problem? Please describe. Let's say I have a project / config containing 10 secrets, but I want just 2 of them in my doppler run - call, the command will receive all 10 secrets. But sometimes I don't want to give the command all my secrets.

Describe the solution you'd like The solution might be an additional switch / filter e.g. --secret-names where I can provide a list (1-n) secret names which should be injected into the doppler run - call.

Describe alternatives you've considered

Nothing to say here

Additional context

Nothing to say here

[icepuma]

In the case you're cool with this filter feature, I'm keen to provide the feature via PR.

[ryan-blunden]

Hiey @icepuma and thanks for the feature request!

Are you able to expand upon why you only want to provide a subset of secrets?

We do have long-term plans for building in the reading of specific secrets into our API and then CLI but this isn't yet on our engineering roadmap.

For now, I'd recommend creating a branch config containing only the subset of secrets required.

[icepuma]

It is more for ad-hoc actions when running doppler run on my local machine, where I have a config containing 10 values, but only want to inject 2 of those values to a command.

Creating a branch config would mean I have to do something just for this one ad-hoc action and maybe to forget to delete it afterwards.

[ryan-blunden]

Is it that the inclusion of the 8 secrets breaks the command you need to run? Just wanting to understand the need for removing those secrets.

[icepuma]

I wouldn't break the command, it is more that I don't need the 8 other secrets in this one particular run and therefore don't want the command let them know. It is more like a filter, where you have a more granular control over what leaves your doppler ecosystem and what doesn't.

Or maybe it would be better add a --better-safe-than-sorry switch where you show the user the set of secrets, that will be injected into the env of the command.

I just want to have a way where people don't yolo their secret injection. The filtering would've helped me personally, but maybe showing the user which secrets will be injected creates more awareness over the usage of doppler.

[ryan-blunden]

I see where you're coming from.

You could use doppler secrets --only-names to show the list of secrets supplied to a command.

You could also use doppler secrets get instead of doppler run to provide a reduced list of secrets:

API_KEY="$(doppler secrets get API_KEY--plain)" AUTH_TOKEN="$(doppler secrets get AUTH_TOKEN--plain)" ./bin/script.sh