Feedback on Secrets Handling – Too Much Repetition, Error-Prone

[prem-prakash]

Hi Kamal team 👋

First of all, thank you for the amazing work on Kamal. It’s a powerful tool that brings the simplicity of Capistrano-style deployments to the container world. The developer experience overall is great, and it’s impressive how much has been streamlined with just a few YAML files.

That said, I’d like to raise a concern about the current approach to managing secrets.

In particular, the .kamal/secrets script ends up being extremely repetitive and verbose, especially when using external secret providers like Doppler. For example, I have to run kamal secrets extract for every single variable:

SECRETS=$(kamal secrets fetch --adapter doppler --from myproject/production VAR1 VAR2 VAR3 ...)

VAR1=$(kamal secrets extract VAR1 $SECRETS)
VAR2=$(kamal secrets extract VAR2 $SECRETS)
VAR3=$(kamal secrets extract VAR3 $SECRETS)
...

This repetition is not only tedious but also increases the risk of human error. If you forget to extract one of the variables, your deployment or accessory config might fail in non-obvious ways. It's also hard to keep the .kamal/secrets file in sync with all the references in deploy.yml.

Suggestion: Could we have a more concise or declarative way to map secrets from a provider into environment variables, perhaps automatically injecting all fetched secrets into the environment by default? Or maybe support a batch extraction with kamal secrets extract-all that can populate ENV directly?

Again, thanks for the awesome tool — just hoping to see the secrets workflow made as elegant as the rest of Kamal.

Best regards, Camilo

[djmb]

The extraction method is like it is for two reasons:

1. For some providers fetching secrets can be slow, so we need a way to fetch them all in one call
2. Using an env file (via the dotenv gem), there's no way to set multiple env variables at once

So there's no easy way to fix this other than abandoning the dotenv file format.