The Importance of Read-Only Credentials
Remora Backup was designed with security and trust as the top priorities. When designing and planning the service, we asked ourselves “what is the least amount of access we need to our customer’s database?”. The answer turned out to be a simple, but powerful Heroku feature called Postgres Credentials.
A Postgres database provides many types of access controls, from host-based limits, to database and schema level limits, all the way down to row level limits within a specific table. To backup all of the data within a database, Remora Backup needs to be able to read all of the table, index, and schema data using the
pg_dump utility. Beyond that, any other access would be excessive.
Postgres Credentials provide just what is needed for this situation, a simple, read-only access option for a given credential. Creating such a credential for your database provides the guarantee that Remora Backup will never be able to alter your Postgres data. Our service has only the access needed to provide our valuable service, nothing more.
There are other benefits to using Postgres Credentials for Remora Backup. If your database connection details change, in a failover scenario for example, the Postgres Credential is automatically updated with the new details, and backups will continue to run without your intervention.
The second main benefit is that a Postgres Credential can be attached to another app. We use the concept of a simple Helper App, to which you attach the read-only Postgres Credential, as the main Remora Backup interface. Put another way, the Remora Backup service has access to an app you own, that has read-only access to your database, and nothing more. There are no application dynos, worker dynos, config variables, or other secret app details Remora Backup has access to.
We feel the above design decisions have created the most secure, limited access solution for your business’ backup needs. If you have questions about the Remora Backup security and design, or if you need help configuring your read-only Postgres Credential, please let us know.