Platform.sh User Documentation

Restrict access to a service

Upsun Beta

Access our newest offering - Upsun!

Get your free trial by clicking the link below.

Get your Upsun free trial

Platform.sh allows you to restrict access to a service.

In this tutorial, learn how to grant your Data team read-only access to your production database.

Before you start Anchor to this heading

You need:

  • A project with a database service
  • A viewer user on your project

1. Add a read-only endpoint to your database service Anchor to this heading

Edit your .platform/services.yaml file and add the following endpoints:

  • website with admin access to the main database
  • reporting with read-only ro access to the main database
.platform/services.yaml
maindb:
    type: mariadb:10.5
    disk: 2048
    configuration:
        schemas:
            - main
        endpoints:
            website:
                default_schema: main
                privileges:
                    main: admin
            reporting:
                privileges:
                    main: ro

2. Grant your app access to the new endpoints Anchor to this heading

Edit your app configuration and add new relationships to your new endpoints:

.platform.app.yaml
relationships:
    database: maindb:website
    reports: maindb:reporting

3. Create a worker with access to the read-only endpoint Anchor to this heading

Edit your app configuration to add a new worker which:

  • Does nothing (sleep infinity)
  • Can access the read-only reporting endpoint
  • Allows SSH access to viewer
.platform.app.yaml
workers:
    data_access:
        size: S
        disk: 128
        mounts: {}
        commands:
            start: |
                sleep infinity                
        relationships:
            reports: maindb:reporting
        access:
            ssh: viewer

You’re done! From now on, your viewer users can SSH in to the worker application, and connect to your database with read-only permissions.

Is this page helpful?