Cannot set Integration Environment Variables to Sensitive

We are currently trying to follow Vercel’s recommendations after the recent security incident, especially around protecting secrets more strictly.

Our setup is the following:

  • We manage our environment variables in Doppler
  • We use the Vercel <> Doppler integration to sync those environment variables from Doppler to Vercel
  • In Doppler, those variables are configured as Restricted and are not visible there

However, after syncing them to Vercel, they appear as visible on click in the Vercel dashboard.

When we try to edit those environment variables in Vercel and mark them as Sensitive, we get this error:

You cannot change the type of an integration environment variable to sensitive

So the issue is: even though the secrets are protected in Doppler, once synced to Vercel we cannot make them Sensitive there, because they are managed by the integration.

Our questions are:

  1. Is this the expected behavior?
  2. Is there any supported way to keep Doppler as the source of truth and still have those synced variables treated as Sensitive in Vercel?
  3. If not, could this be supported as a feature request?

It would be useful if either:

  • integrations could create environment variables as Sensitive by default, or
  • Vercel allowed changing integration-managed variables to Sensitive without breaking the integration

Thanks.

2 Likes

Thanks for reporting, our integrations team is actively working on this feature but since it involves adding support for each third party, we can’t give an immediate ETA for when it will be enabled on the Doppler integration

In the meantime, the fastest workaround to de-sync is to use vercel env pull .env.temp to pull non-sensitive env vars into a file, then you can copy/paste them into the “add new environment variable” flow and mark as sensitive

This isn’t ideal since doppler will no longer be the source of truth, but hopefully it’s acceptable as a stop-gap until we have the proper feature shipped

2 Likes