Rotate database credentials on Heroku Postgres

When was the last time you rotated your database credentials? Is it possible that old colleague still has access to your data? Or perhaps they've been accidentally leaked in a screenshot. There are many reasons to rotate your credentials regularly.

We now support the ability to easily reset your database credentials, and it is as simple as running the following on your command line:

heroku pg:credentials HEROKU_POSTGRESQL_COLOR --reset --app your-app

When you issue the above command, new credentials will be created for your database, and we will update the related config vars on your heroku application. However, on production databases (crane and up) we don't remove the old credentials immediately. Instead, we wait until all connections using the old credentials are dropped, and only then do we remove them. We wanted to make sure that any background jobs or other workers running on your production environment aren't abruptly terminated, potentially leaving the system in an inconsistent state.

Along with this change, we are removing credentials from the output of heroku pg:info, as we've seen that it has the most potential for credential leaking. To view connection information for your Heroku Postgres database you must simply ask by running heroku pg:credentials.

Both of these commands are available on all Heroku Postgres plans, from dev to mecha.

Finally, please update to the latest version of the Heroku Toolbelt to take advantage of this new functionality.

Tags: postgres

Browse the blog archives or subscribe to the full-text feed.