Multiple Admin Secrets
Introduction
You can specify a list of admin secrets in GraphQL Engine which can be used to :
- Implement security mechanisms like rotating secrets
- Have different lifecycles for individual admin secrets e.g. temporarily give admin access to an operator
How to use
Multiple admin secrets can be provided in the env var HASURA_GRAPHQL_ADMIN_SECRETS which takes a list of admin
secrets,
For example:
["secret-1", "secret-2"]
When you launch the console from the Hasura Cloud or the Hasura EE Control Plane dashboard, you can use any secret from
the admin secrets list to authenticate yourself as an admin. If you want to make API calls as an admin from outside the
console, you need to pass any one of the admin secrets as the x-hasura-admin-secret request header.
If both HASURA_GRAPHQL_ADMIN_SECRET and HASURA_GRAPHQL_ADMIN_SECRETS are set, then only
HASURA_GRAPHQL_ADMIN_SECRETS will be used.
Rotating admin secrets (self-hosted environments)
When you have a self-hosted Hasura EE setup, you can use this feature to implement a secret rotation mechanism without downtime as outlined below:
- Add a new secret to the list of admin secrets (and perform a rolling deploy)
- Update applications/services using the old admin secret to use the new secret
- Remove the old secret from the admin secret list (and perform a rolling deploy)
Note that a rolling deploy ensures that there is at least one service which is active.
