question

HDUmi avatar image
HDUmi asked

About Secret Key Rule

Hi PlayFab Support,

I have some questions about the PlayFab Secret Key.

I wonder if there is a way to limit access to the Secret Key? I just want to use Secret Key for the purpose of reading data at another server that does not allow data changes, or only manipulate the function limit compared to the Secret Key in full authority. I have tried to create another account and set the limit for one account access to the system, through Rule settings. Read only allowed. But when watching Secret Key from this account, I still get Secret Key from the main account.

I think that should allow the sub-account to create their own Secret Key, it will include the rights of that sub-account. They can use it elsewhere without worrying about the risk of revealing Secret Key.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Sarah Zhang avatar image
Sarah Zhang answered

There is not any way to limit access to the Secret Key. If you think it’s necessary for the feature that adding limits to the Secret Key you can add a Feature Request of it.

User roles that you have used is a powerful and flexible way to determine who can do what in Game Manager. If you want to deny certain APIs from the game client, you can use API access policy. Take these as references, please.

7 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

HDUmi avatar image HDUmi commented ·

Really, I think this is a necessary issue. I need to use the Secret Key in the game server, to get players' information, their inventory items for processing game logic. However, what happens if my server could be hacked and revealed Secret Key. They can edit or do whatever they want. PlayFab also does not provide a system recovery mechanism.

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ HDUmi commented ·

>>what happens if my server could be hacked and revealed Secret Key

For now, you are able to manage Secret Key in the Game Manager and please navigate to [Game Manager] ->[Settings] ->[Secret Keys], where you can create new secret keys or disable existing ones. You are also capable of creating a secret key with an expiration date.

0 Likes 0 ·
HDUmi avatar image HDUmi commented ·

If the key is revealed. The system will be hacked heavily. I think it is necessary to allow the creation of secret keys that limit the functionality and secret keys for each admin account, to know who is using it.

0 Likes 0 ·
brandon@uprootstudios.com avatar image brandon@uprootstudios.com HDUmi commented ·

If your server never exposes or returns data with the key to clients, it is very unlikely anyone would be able to "hack" the server or send certain data to it in a way that the key would be returned. If such a vulnerability were found, you could disable the secret key and issue a new one once you figure out how it happened and prevent it from happening again.

1 Like 1 ·
HDUmi avatar image HDUmi brandon@uprootstudios.com commented ·

We cannot be sure the server is not hacked, nothing can guarantee it. If the data has been hacked, what is the meaning of changing the new secret key? The data system has been hacked and changed, how can we check millions of users to recover their data. I find the solution unreasonable

0 Likes 0 ·
Show more comments
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.