Feature: Make it possible to reference secrets from other projects

[vmatsiiako]

Describe the feature

It would be nice to reference secrets from other projects

Additional context

Not sure how it would work if other people are not part of a certain project

[vmatsiiako]

@Icaruk what would you say is the main use case for this? Why do you usually need to reference secrets from other projects?

[Icaruk]

@Icaruk what would you say is the main use case for this? Why do you usually need to reference secrets from other projects?

email_secrets:

• EMAIL_USER: ****
• EMAIL_PASS: ****

api_secrets:

• EMAIL_USER: ${email_secrets.EMAIL_USER}
• EMAIL_PASS: ${email_secrets.EMAIL_PASS}

worker_secrets:

• EMAIL_USER: ${email_secrets.EMAIL_USER}
• EMAIL_PASS: ${email_secrets.EMAIL_PASS}

Easy to change or rotate shared passwords, tokens, etc...

[Icaruk]

Not sure how it would work if other people are not part of a certain project

Maybe just allow to reference projects you have access to.

[Grraahaam]

Here's an explanation about some use cases I've made in DM on Slack :

Allowing us to edit one secret in a "global" project and child project will automatically point to that new value
Here's how "global" project works (at least how I'm using it) :

# global project (dev config, rbac to only admin/authorized members)
API_STRIPE_URL=https://api.stripe.com/v1
API_STRIPE_KEY=xxxxxxxxxx-xxxxx-xxxxxxxx
PROJECT_CONFIG=dev

# A project (env names can be different, as long as the reference points to the correct secret)
STRIPE_URL=${global.dev.API_STRIPE_URL}
STRIPE_SECRET=${global.dev.API_STRIPE_KEY}
OHTER_VAR=foobar

# B project
API_URL=${global.dev.API_STRIPE_URL}
API_SECRET=${global.dev.API_STRIPE_KEY}
APP_ENV=${global.dev.PROJECT_CONFIG}
OHTER_VAR=foobar

Not tested yet on Doppler. Scoping developers' permissions to only given configs/environments secrets, so we could grant them read-only access to given config/environment to only fetch referenced secrets from projects where they're authorized (read-only).

Suggestion, user Bob have read-only permission on the "global" project but only for the dev config/environment :

# global project (dev config, rbac to only admin/authorized members)
# bob : read-only
API_STRIPE_URL=https://api.stripe.com/v1
API_STRIPE_KEY=dev-xxxxxxx-xxxxx-xxxxxxxx
PROJECT_CONFIG=dev

# global project (stg config, rbac to only admin/authorized members)
# bob : no permissions
API_STRIPE_URL=https://api.stripe.com/v1
API_STRIPE_KEY=stg-xxxxxxx-xxxxx-xxxxxxxx
PROJECT_CONFIG=stg

# A project (dev config)
# bob : can fetch the referenced secrets and override those values locally if needed
STRIPE_URL=${global.dev.API_STRIPE_URL}
STRIPE_SECRET=${global.dev.API_STRIPE_KEY}
OHTER_VAR=foobar

# A project (dev config, if bob wants to try to get the stg/prd secrets)
# bob : can't fetch the referenced secrets but can still override those values locally if needed
STRIPE_URL=${global.stg.API_STRIPE_URL} # empty (can't access)
STRIPE_SECRET=${global.stg.API_STRIPE_KEY} # empty (can't access)
OHTER_VAR=foobar # can access

I hope those text schema are clear enough, let me know if you'd prefer a visual diagram ✌️

[akhilmhdh]

With release of Secret Reference You can now reference secret from same environment or another environment and another folder.

Closing this issue as its now been resolved