Restrict access to a service
Back to home
On this page
Try for 30 days
Flexible, version-controlled infrastructure provisioning and development-to-production workflows
Platform.sh allows you to restrict access to a service.
In this tutorial, learn how to grant your Data team read-only access to your production database.
Before you start 
You need:
- A project with a database service
- A
vieweruser on your project
1. Add a read-only endpoint to your database service
Edit your .platform/services.yaml file and add the following endpoints:
websitewithadminaccess to themaindatabasereportingwith read-onlyroaccess to themaindatabase
.platform/services.yaml
maindb:
type: mariadb:10.5
disk: 2048
configuration:
schemas:
- main
endpoints:
website:
default_schema: main
privileges:
main: admin
reporting:
privileges:
main: ro 2. Grant your app access to the new endpoints
Edit your app configuration and add new relationships to your new endpoints:
.platform.app.yaml
relationships:
database:
service: maindb
endpoint: website
reports:
service: maindb
endpoint: reporting 3. Create a worker with access to the read-only endpoint
Edit your app configuration to add a new worker which:
- Does nothing (
sleep infinity) - Can access the read-only
reportingendpoint - Allows SSH access to
viewer
.platform.app.yaml
workers:
data_access:
size: S
disk: 128
mounts: {}
commands:
start: |
sleep infinity
relationships:
reports:
service: maindb
endpoint: reporting
access:
ssh: viewerYou’re done!
From now on, your viewer users can SSH in to the worker application,
and connect to your database with read-only permissions.