Skip to main content
Version: v2.x

Multiple Admin Secrets

Introduction

You can specify a list of admin secrets in GraphQL Engine which can be used to :

  1. Implement security mechanisms like rotating secrets
  2. Have different lifecycles for individual admin secrets e.g. temporarily give admin access to an operator

How to use

Multiple admin secrets can be provided in the env var HASURA_GRAPHQL_ADMIN_SECRETS which takes a list of admin secrets,

For example:

["secret-1", "secret-2"]

When you launch the console from the Hasura Cloud dashboard, you can use any secret from the admin secrets list to authenticate yourself as an admin. If you want to make API calls as an admin from outside the console, you need to pass any one of the admin secrets as the x-hasura-admin-secret request header.

Note

If both HASURA_GRAPHQL_ADMIN_SECRET and HASURA_GRAPHQL_ADMIN_SECRETS are set, then only HASURA_GRAPHQL_ADMIN_SECRETS will be used.

Rotating admin secrets (Self-hosted environments)

When you have a self-hosted Hasura EE setup, you can use this feature to implement a secret rotation mechanism without downtime as outlined below:

  1. Add a new secret to the list of admin secrets (and perform a rolling deploy)
  2. Update applications/services using the old admin secret to use the new secret
  3. Remove the old secret from the admin secret list (and perform a rolling deploy)

Note that a rolling deploy ensures that there is atleast one service which is active.