Question

Error with doctl: secret env value must not be encrypted before app is created

Posted December 26, 2021 100 views
SecurityDigitalOcean API and CLI (doctl)

I am receiving the following error when doing a subsequent deployment through doctl:

errors validating app spec; first error in field "envs.0.value": secret env value must not be encrypted before app is created

This is the command: doctl apps create --upsert --spec app-spec.yml --wait --verbose
Version: 1.68.0

Here is the relevant section of the app-spec.yml file:

    envs:
      - key: DISCORD_BOT_TOKEN
        scope: RUN_AND_BUILD_TIME
        type: SECRET
        value: <REDACTED>

I have tried multiple approaches (wondering if I did something wrong), and I am getting the error no matter what.

Approach 1:

  • Deploy app and components using doctl
  • Define app-level and component-level environment variables (encrypted)
  • Download app-spec.yml from the app settings and paste into local file
  • Deploy again -> error

Approach 2:

  • Deploy app and components using doctl. Secrets are unencrypted in the app-spec.yml
  • Download app-spec.yml from the app settings and paste into local file
  • Deploy again -> error

I have read the documentation and community questions, and it seems that I am doing this correctly.
e.g. https://www.digitalocean.com/community/questions/how-to-use-environment-values-of-type-secret-on-following-submissions

As you make updates to your app spec, if you don’t intend to change those encrypted values, then you should just submit with the in-place encrypted values unchanged.

What is the correct approach to this? If there is an issue with the DOAP, is there a temporary workaround?

3 comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer