Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Feature request] Multiple admin-secret keys and secret key management

See original GitHub issue

Currently, Hasura only allows 1 secret key as admin role.

This feature request suggests a tab on console for admin to add/edit/revoke more key-role pair:

Key is the access_key
Role is the role.
(optional) Expired time (default is forever)

So, this will allow bypass JWT authentication for specific client.

The default admin-secret should be immutable and showable for the first admin only.

API usage:

Client needs to send header x-hasura-secret-key to access hasura.

Use case:

I have some 3rd party applications which needs a key to access hasura.
A team could safely colloborate in console with many roles: dev, database administrators, manager,… with each role has only specific permissions.

With this feature, hasura will eventually support access console for all roles.

Alternative solution:

We need a table secret_keys with three columns above and a join table between secret_keys and the table you want to grant access. And use secret_keys in permissions settings.

Issue Analytics

State:
Created 4 years ago
Reactions:60
Comments:10 (7 by maintainers)

Top GitHub Comments

4reactions

mnlboxcommented, Apr 12, 2019

@revskill10 I love your idea Or maybe more general if Hasura can support a simple user password authentication and merge that with jwt or webhook then admin users can use builtin authentication feature. (I think this approach is more dynamic than key/role approach and still we can use one specific user/password rather than key/password for specific client app)

In that case we also need some new permissions for example called:

access_data_tab
access_graphql_tab
access_remote_schema_tab
access_trigger_tab

To restrict access to each part of console app.

2reactions

jasonmccallistercommented, Apr 24, 2019

@revskill10 are you thinking more along the lines of allowing multiple admins specific keys to hit the API or console? I think that would be really useful as people leave teams/companies then you only need to remove that users admin key.

Top Results From Across the Web

Key and secret management | Security foundations

Secrets in your organization encompass cryptographic keys, credential sets, API keys, OAuth tokens, and other sensitive data that's needed ...

How AWS Secrets Manager uses AWS KMS

Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret value with a unique data key...

Key and secret management in Azure - Microsoft Learn

Examine key and secret management considerations in Azure. Protect keys by storing them in the managed key vault service.

Ops Manager Configuration Settings - MongoDB

Ops Manager stores configuration settings both globally in the Ops Manager Application Database and locally on each server. Global settings apply to all ......

Kafka 3.3 Documentation

Topics in Kafka are always multi-producer and multi-subscriber: a topic can have zero, one, or many ... Secret key to generate and verify...