Rotate database credentials on Heroku Postgres
July 17, 2012 by Harold Giménez
When was the last time you rotated your database credentials? Is it possible that old colleague still has access to your data? Or perhaps they've been accidentally leaked in a screenshot. There are many reasons to rotate your credentials regularly.
We now support the ability to easily reset your database credentials, and it is as simple as running the following on your command line:
heroku pg:credentials HEROKU_POSTGRESQL_COLOR --reset --app your-app
When you issue the above command, new credentials will be created for your database, and we will update the related config vars on your heroku application. However, on production databases (crane and up) we don't remove the old credentials immediately. Instead, we wait until all connections using the old credentials are dropped, and only then do we remove them. We wanted to make sure that any background jobs or other workers running on your production environment aren't abruptly terminated, potentially leaving the system in an inconsistent state.
Along with this change, we are removing credentials from the output of
heroku pg:info, as we've seen that it has the most potential for
credential leaking. To view connection information for your Heroku Postgres
database you must simply ask by running
Both of these commands are available on all Heroku Postgres plans, from dev to mecha.
Finally, please update to the latest version of the Heroku Toolbelt to take advantage of this new functionality.