Restrict access to a service
Back to home
On this page
Upsun allows you to restrict access to a service.
In this tutorial, learn how to grant your Data team read-only access to your production database.
Before you start 
You need:
- A project with a database service
- A
vieweruser on your project
1. Add a read-only endpoint to your database service
Edit your .upsun/config.yaml file and add the following endpoints:
websitewithadminaccess to themaindatabasereportingwith read-onlyroaccess to themaindatabase
.upsun/config.yaml
services:
maindb:
type: mariadb:10.5
configuration:
schemas:
- main
endpoints:
website:
default_schema: main
privileges:
main: admin
reporting:
privileges:
main: ro 2. Grant your app access to the new endpoints
Edit your app configuration and add new relationships to your new endpoints:
.upsun/config.yaml
applications:
myapp:
[...]
relationships:
database:
service: maindb
endpoint: website
reports:
service: maindb
endpoint: reporting 3. Create a worker with access to the read-only endpoint
Edit your app configuration to add a new worker which:
- Does nothing (
sleep infinity) - Can access the read-only
reportingendpoint - Allows SSH access to
viewer
.upsun/config.yaml
applications:
myapp:
workers:
data_access:
mounts: {}
commands:
start: |
sleep infinity
relationships:
reports:
service: maindb
endpoint: reporting
access:
ssh: viewerYou’re done!
From now on, your viewer users can SSH in to the worker application,
and connect to your database with read-only permissions.