UI showing warning about admin secret being unset while it is set

[smparekh]

Version Information

Server Version: CLI Version (for CLI related issue): v2.14.0

Environment

OSS

What is the current behaviour?

UI shows a little icon on the header indicating a warning with this text: This graphql endpoint is public and you should add an admin-secretThis graphql endpoint is public and you should add an admin-secret

What is the expected behaviour?

No warning as the admin secret is set (see logs).

Screenshots or Screencast

Please provide any traces or logs that could help here.

{
  "detail": {
    "info": {
      "admin_secret_set": true,
      "auth_hook": null,
      "auth_hook_mode": null,
      "console_assets_dir": null,
      "console_sentry_dsn": null,
      "cors_config": {
        "allowed_origins": "*",
        "disabled": false,
        "ws_read_cookie": null
      },
      "enable_allowlist": false,
      "enable_console": false,
      "enable_maintenance_mode": false,
      "enable_metadata_query_logging": false,
      "enable_telemetry": true,
      "enabled_apis": [
        "pgdump",
        "metadata",
        "developer",
        "graphql"
      ],
      "enabled_log_types": [
        "startup",
        "webhook-log",
        "http-log",
        "websocket-log"
      ],
      "events_fetch_batch_size": 100,
      "experimental_features": [],
      "graceful_shutdown_timeout": 60,
      "infer_function_permissions": true,
      "jwt_secret": [
        {
          "audience": null,
          "claims_format": "json",
          "claims_namespace": "https://hasura.io/jwt/claims",
          "header": null,
          "issuer": null,
          "key": "<JWK REDACTED>",
          "type": "<TYPE REDACTED>"
        }
      ],
      "live_query_options": {
        "batch_size": 100,
        "refetch_delay": 1
      },
      "log_level": "info",
      "port": 8080,
      "remote_schema_permissions": true,
      "server_host": "HostAny",
      "stringify_numeric_types": false,
      "transaction_isolation": "ISOLATION LEVEL READ COMMITTED",
      "unauth_role": null,
      "use_prepared_statements": true,
      "v1-boolean-null-collapse": false,
      "websocket_compression_options": "NoCompression",
      "websocket_connection_init_timeout": "Refined (Seconds {seconds = 3s})",
      "websocket_keep_alive": "KeepAliveDelay {unKeepAliveDelay = Refined (Seconds {seconds = 5s})}"
    },
    "kind": "server_configuration"
  },
  "level": "info",
  "timestamp": "2022-11-02T16:23:31.748+0000",
  "type": "startup"
}

Any possible solutions/workarounds you're aware of?

Possible reason is how detection is done, the container is running in ECS and the access key is set via a secret.

Keywords

admin secret

[manasag]

Hi @smparekh , would you be able to share the list of environment variables (redacted values) set in your container.

[smparekh]

here is an excerpt from our task definition

"environment": [
    {
      "name": "HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS",
      "value": "true"
    },
    {
      "name": "HASURA_GRAPHQL_ENABLED_APIS",
      "value": "metadata,graphql,pgdump,developer"
    }
],
"secrets": [
    {
      "valueFrom": "arn:aws-us-gov:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/REDACTED",
      "name": "HASURA_GRAPHQL_DATABASE_URL"
    },
    {
      "valueFrom": "arn:aws-us-gov:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/REDACTED",
      "name": "HASURA_GRAPHQL_JWT_SECRET"
    },
    {
      "valueFrom": "arn:aws-us-gov:ssm:$AWS_REGION:$AWS_ACCOUNT_ID:parameter/REDACTED",
      "name": "HASURA_GRAPHQL_ADMIN_SECRET"
    }
],

[manasag]

This is not expected if admin secret is set. Based on the logs it seems that secret is set fine. Is it something that started happening recently (was it was working fine earlier?).

[smparekh]

yes, i noticed it happening when i upgraded from v2.11.1 to v2.14.0

[sanderkooger]

We have the same issue in v2.15

[manasag]

We have identified root cause of the issue. Please wait for an update for the fix.