menu

Apollo

A community of developers, designers and others who love Apollo and GraphQL. 🚀

Channels
# All channels
view-forward
# General
view-forward
# Apollo Angular
view-forward
# Announcements
view-forward
# Apollo Android
view-forward
# Apollo Client
view-forward
# Apollo iOS
view-forward
# Apollo Link
view-forward
# Apollo Link Rest
view-forward
# Local State
view-forward
# Apollo Studio
view-forward
# Apollo Server
view-forward
# Apollo Tooling
view-forward
# Contributing
view-forward
# Docs
view-forward
# Events
view-forward
# GraphQL Tools
view-forward
# Jobs
view-forward
# Random
view-forward
# React Apollo
view-forward
# Showcase
view-forward
# Subscriptions
view-forward
# Testing
view-forward
# Vue Apollo
view-forward
Team

No api keys per environment in graph manager. How do you secure things?

January 31, 2020 at 8:53pm

No api keys per environment in graph manager. How do you secure things?

January 31, 2020 at 8:53pm (Edited 8 months ago)
In graph manager, you define a graph and can have multiple variants for different environments. While a graph can be secured by an api key, variants cannot. This means anyone on the team can see the api key for the graph and push updates to the production environment.
We are used to the practice of using different api keys to help secure different environments. We can then limit the people and processes that have access to those keys. But in graph manager, the key is there and visible to anyone with access to graph manager so this doesn't really work.
What is the best practice here for securing changes around environments/variations? How do you keep keys secure so anyone on the team can't just log onto graph manager and grab them? Especially because we want the observability that graph manager provides to the team.

January 31, 2020 at 10:43pm
Hi Russell! There's no current way to do this, but we are well aware of the user need here and it's something on our priority list.
  • reply
  • like

February 3, 2020 at 3:18pm
Is there a roadmap or eta on this? Just trying to prioritize our work around graphql and wondering if we'll see something in 2020 around this.
like-fill
1
  • reply
  • like

September 3, 2020 at 6:31pm
Hi (russell-shurts) –– circling back here, we just released user roles and permissions in our system, which is the first step in our path to doing this. The plan is to get to graph-level user permissions next, and then read-only keys that are variant specific after that. I think we will get to graph-level user permission by the end of 2020 for sure, but I'm not sure if read-only variant keys will make it to the Q4 list because we have a few other impending priorities ahead of that. I hope it does though!
  • reply
  • like