Change username and password for prisma demo server database


#1

I have deployed to a Prisma demo server using the default username and password. Does that mean anyone who knows the default username and password can access my demo database? I’m storing live data there (not much traffic, but still live data), and I want to make sure it’s still secured. If anyone can access my database, then how do I change the username and password?


#2

Hi,

Demo server should not be used for ANY production use they are wide open.

You should spin up a free heroku server from our dashboard. It is free and it is wholly yours and our dashboard makes it easy to setup. Head here --> app.prisma.io


#3

I understand, thank you. This was not explained anywhere in the documentation that I could find. The only limitations described in the documentation for demo servers is rate limiting and storage, nothing about the data being wide open and the servers unable to be secured. That’s a big limitation that should be clearly explained.


#4

Hey @jordan.michael.last,

as @pantharshit00 pointed out here, you can use a service secret to secure your Prisma API on a Demo server.

Thus, your data can be protected and is not available to anyone with access to your endpoint.

Hope that helps, let us know if you have any further questions! :slight_smile:


#5

Hey, @nikolas has said something entirely different to what you said? Can you confirm that he is correct? I’m not quite sure who to believe here, as you both seem to be speaking with authority. Thanks guys!


#6

Hi @jordan.michael.last ,

I am sorry that you get a bit confused by our replies. Let me make this clear:

Prisma has two kinds of secrets :-

  1. managementApiSecret: This secret controls the cluster and handles all kinds of service deployment in the cluster. THIS WILL NOT SECURE YOUR DATA. This secret ensures that no one can deploy into your cluster. Since demo servers are open for everyone, we can’t have this secret in them as then no one will able to deploy to demo servers. This secret is defined in your docker-compose.yml which is not required for prisma demo servers. Imagine this secret as your server’s password and anyone that has this can deploy to your server.

  2. service secret: This secret is defined in prisma.yml file and this is the one responsible to secure the data of your service. You can define this on demo servers too and it will work fine. Without this secret no one can access the data of your service. Also add this secret to application layer server too so that it will be able to access the data. Imagine this secret as your database password and one who has it can access your db. I can confirm that you can use this in demo servers and no one will able to access your data :smile:

I apologise for creating the confusion but I will still recommend not to use demo servers for production as they are heavily rate limited. You can use prisma export and import to transfer the data to another cluster easily.

@nikolas We should have a detailed section about secrets in docs. Many people seemed to get confused in this regard.


managementApiSecret for demo servers