This repo contains two Cloudflare Workers:
-
workers/lakebase-credential-rotatorA cron-triggered worker that fetches short-lived Databricks Lakebase Postgres credentials and updates a Cloudflare Hyperdrive configuration.
-
workers/lakebase-connection-testA tiny HTTP worker that runs
SELECT now()over Hyperdrive and returns JSON.
- Node.js 20+
pnpmwranglerCLI authenticated to your Cloudflare account- A Databricks service principal with OAuth client credentials and permission to generate Lakebase DB credentials
pnpm -r installPath: cd workers/lakebase-credential-rotator
Copy wrangler.toml.example to wrangler.toml and set:
-
CLOUDFLARE_ACCOUNT_ID -
HYPERDRIVE_CONFIG_ID -
DATABRICKS_HOST(example:dbc-xxxxxxxx-xxxx.cloud.databricks.com) -
DATABRICKS_CLIENT_ID -
LAKEBASE_ENDPOINT(namefromdatabricks postgres list-endpoints, format:projects/<id>/branches/<id>/endpoints/<id>) -
LAKEBASE_HOST -
LAKEBASE_PORT(default5432) -
LAKEBASE_DATABASE(defaultdatabricks_postgres)
Then configure the secrets:
wrangler secret put CLOUDFLARE_API_TOKEN
wrangler secret put DATABRICKS_CLIENT_SECRETCredentials are valid for 60 minutes. The default refresh schedule is every 20 minutes, which makes the system robust to any single failed refresh.
crons = ["8,28,48 * * * *"]pnpm run deployEnsure workers_dev = false in wrangler.toml to prevent public access.
You can set it true temporarily for debugging/test purposes. Then you would do:
curl "https://<your-worker-subdomain>/"And the expected result should be similar to:
{
"started_at": "2026-03-06T10:50:39.226Z",
"completed_at": "2026-03-06T10:50:43.298Z",
"result": {
"id": "03100116588d4a36b24a3e560617aca8",
"name": "lakebase-rotation-example",
"origin": {
"host": "ep-xyz.database.us-west-2.cloud.databricks.com",
"port": 5432,
"database": "databricks_postgres",
"scheme": "postgres",
"user": "09adf6b1-b608-4ee5-9ee7-4479d8fff0c3"
},
"origin_connection_limit": 60,
"caching": {
"disabled": false
},
"mtls": {},
"created_on": "2026-03-03T17:57:39.493273Z",
"modified_on": "2026-03-06T10:50:41.608703Z"
}
}Path: cd workers/lakebase-connection-test
Copy wrangler.toml.example to wrangler.toml and set:
[[hyperdrive]].idto your Hyperdrive config ID
pnpm run deploycurl "https://<your-worker-subdomain>/"Expected result:
{"server_time":"2026-03-03T00:00:00.000Z"}