diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env
index 0913f61746..fe821f22b7 100644
--- a/ci-automation/ci-config.env
+++ b/ci-automation/ci-config.env
@@ -90,7 +90,8 @@ GCE_PARALLEL="${PARALLEL_TESTS:-4}"
 # Use the "@PROTO@" "@ARCH@", "@CHANNEL@" and "@VERNUM@" placeholders. They will
 # be replaced.
 DO_IMAGE_URL="${DEFAULT_HTTP_IMAGE_URL_TEMPLATE}/flatcar_production_digitalocean_image.bin.bz2"
-DO_CONFIG_FILE='do-token.json'
 DO_REGION='sfo3'
 DO_MACHINE_SIZE='s-2vcpu-2gb'
 DO_PARALLEL='8'
+# DIGITALOCEAN_TOKEN_JSON env var is used for credentials, and should
+# come from sdk_container/.env
diff --git a/ci-automation/ci_automation_common.sh b/ci-automation/ci_automation_common.sh
index c6a1a90f35..35a9c93bc5 100644
--- a/ci-automation/ci_automation_common.sh
+++ b/ci-automation/ci_automation_common.sh
@@ -273,3 +273,19 @@ function url_from_template() {
     echo "${url}"
 }
 # --
+
+# Puts a secret into a file, while trying for the secret to not end up
+# on a filesystem at all. Prints a path to a file with the secret in
+# /proc.
+function secret_to_file() {
+    local secret="${1}"; shift
+    local tmpfile=$(mktemp)
+    local fd
+
+    exec {fd}<>"${tmpfile}"
+    rm -f "${tmpfile}"
+    echo "${secret}" >&${fd}
+
+    echo "/proc/${$}/fd/${fd}"
+}
+# --
diff --git a/ci-automation/vendor-testing/digitalocean.sh b/ci-automation/vendor-testing/digitalocean.sh
index f15377ac0f..bbfa8ac344 100755
--- a/ci-automation/vendor-testing/digitalocean.sh
+++ b/ci-automation/vendor-testing/digitalocean.sh
@@ -25,15 +25,17 @@ fi
 image_name="ci-${CIA_VERNUM//+/-}"
 image_url="$(url_from_template "${DO_IMAGE_URL}" "${CIA_ARCH}" "${CIA_CHANNEL}" 'https' "${CIA_VERNUM}")"
 
+config_file="$(secret_to_file "${DIGITALOCEAN_TOKEN_JSON}")"
+
 ore do create-image \
-    --config-file="${DO_CONFIG_FILE}" \
+    --config-file="${config_file}" \
     --region="${DO_REGION}" \
     --name="${image_name}" \
     --url="${image_url}"
 
 trap 'ore do delete-image \
     --name="${image_name}" \
-    --config-file="${DO_CONFIG_FILE}"' EXIT
+    --config-file="${config_file}"' EXIT
 
 set -x
 
@@ -42,7 +44,7 @@ timeout --signal=SIGQUIT 4h\
     --do-size="${DO_MACHINE_SIZE}" \
     --do-region="${DO_REGION}" \
     --basename="${image_name}" \
-    --do-config-file="${DO_CONFIG_FILE}" \
+    --do-config-file="${config_file}" \
     --do-image="${image_name}" \
     --parallel="${DO_PARALLEL}" \
     --platform=do \