Rotate database credentials on Heroku Postgres
- Last Updated: July 18, 2012
When was the last time you rotated your database credentials? Is it possible
that old colleague still has access to your data? Or perhaps they've been
accidentally leaked in a screenshot. There are many reasons to rotate
your credentials regularly.
We now support the ability to easily reset your database credentials, and it is
as simple as running the following on your command line:
heroku pg:credentials:rotate HEROKU_POSTGRESQL_COLOR --app your-app
When you issue the above command, new credentials will be created for your
database, and we will update the related config vars on your heroku
application. However, on production databases (crane and up) we don't remove
the old credentials immediately. Instead, we wait until all connections using
the old credentials are dropped, and only then do we remove them. We wanted to
make sure that any background jobs or other workers running on your production
environment aren't abruptly terminated, potentially leaving the system in an
inconsistent state.
Along with this change, we are removing credentials from the output of
heroku pg:info, as we've seen that it has the most potential for
credential leaking. To view connection information for your Heroku Postgres
database you must simply ask by running heroku pg:credentials.
Both of these commands are available on all
Heroku Postgres plans.
- Originally Published:
- postgres
