Multiple Admin Secrets
Introduction
You can specify a list of admin secrets in GraphQL Engine which can be used to :
- Implement security mechanisms like rotating secrets
- Have different lifecycles for individual admin secrets e.g. temporarily give admin access to an operator
How to use
Multiple admin secrets can be provided in the env var HASURA_GRAPHQL_ADMIN_SECRETS which takes a list of admin
secrets,
For example:
["secret-1", "secret-2"]
When you launch the Console from the Hasura Cloud or the Hasura Enterprise Edition Control Plane dashboard, you can use
any secret from the admin secrets list to authenticate yourself as an admin. If you want to make API calls as an admin
from outside the console, you need to pass any one of the admin secrets as the x-hasura-admin-secret request header.
If both HASURA_GRAPHQL_ADMIN_SECRET and HASURA_GRAPHQL_ADMIN_SECRETS are set, then only
HASURA_GRAPHQL_ADMIN_SECRETS will be used.
Rotating admin secrets
You can use this feature to implement a secret rotation mechanism without downtime as outlined below:
- Add a new secret to the list of admin secrets
- Update applications/services using the old admin secret to use the new secret
- Remove the old secret from the admin secret list
Note that for self-hosted Hasura, you would need to perform a rolling deployment whenever you are updating the environment variables (to ensure no downtime).
