Securing the GraphQL endpoint (Kubernetes)¶

Table of contents

Add the HASURA_GRAPHQL_ADMIN_SECRET env var
(optional) Use the admin secret key with the CLI

To make sure that your GraphQL endpoint and the Hasura console are not publicly accessible, you need to configure an admin secret key.

Add the HASURA_GRAPHQL_ADMIN_SECRET env var¶

Update the deployment.yaml to set the HASURA_GRAPHQL_ADMIN_SECRET environment variable.

 ...
 spec:
    containers:
      ...
      command: ["graphql-engine"]
      args: ["serve", "--enable-console"]
      env:
      - name: HASURA_GRAPHQL_DATABASE_URL
        value: postgres://username:password@hostname:port/dbname
      - name: HASURA_GRAPHQL_ADMIN_SECRET
        value: mysecretkey
      ports:
      - containerPort: 8080
        protocol: TCP
      resources: {}

Note

The HASURA_GRAPHQL_ADMIN_SECRET should never be passed from the client to the Hasura GraphQL engine as it would give the client full admin rights to your Hasura instance. See Authentication & Authorization for information on setting up authentication.

(optional) Use the admin secret key with the CLI¶

In case you’re using the CLI to open the Hasura console, use the admin-secret flag when you open the console:

hasura console --admin-secret=myadminsecretkey

« previous | next »

Was this page helpful?

Want to contribute or report missing content?

edit this page on github | contributing guidelines | report an issue

Hasura GraphQL engine is open source. See license