Feature Requests

Support compliance with HIPAA and enable requesting a Business Associate Agreement (BAA) from Render

It will be easier to do transactions using UPI i was not able to add my card

Render API keys / tokens are not per-workspace or per-org, and has access to all workspaces that I have. Vanta, one of the most common SOC 2 compliance vendor, requires Render API key for integration, and this limitation complicates as we don't want to provide a personal API key that can access to a lot more external organizations and workspaces.

I would prefer not to use static credentials and instead generate temporary credentials on-demand. This is something I have done with other platforms such as GitHub Actions and Terraform Cloud. You can create an AWS IAM Identity Provider in the AWS Console for the OIDC Identity Provider that your platform manages, and then your runtime can call the AWS STS AssumeRoleWithWebIdentity endpoint, passing along the JWT identity token provided by your platform. Instructions for configuring GitHub Actions to use temporary AWS credentials can be found here: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ I’d like to do something similar with Render, but the Render platform would need to make available an OIDC Identity Provider, as described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html

Provide the ability to create a unique static IP for a service. This means if I allowlist my service's IP, I'll only allowlist my service, and no other Render services.

Just like Env Groups, it would be great to have Access Control Groups to apply IP address range changes at once for Postgres and Redis. By setting IP ranges one by one, it gets out of sync very quickly. Instead, we could maintain the single source of truth for the IP ranges. This would be helpful especially for fully remote teams.

Right now environment variables are used for secrets, but in general you want secrets to be write-only or at the very least only allow read based on some IAM. A first good step would be to add a "sensitive" checkmark when you create an environment variable so it can only be written to and it cannot ever we read by users. This is the behaviour of github actions, terraform cloud, etc. and generally good enough for a lot of people.