Skip to content

Add passwordCommand option for SQL datastore credentials#9879

Merged
simvlad merged 1 commit intotemporalio:mainfrom
simvlad:simvlad/cloud-provider-auth
Apr 15, 2026
Merged

Add passwordCommand option for SQL datastore credentials#9879
simvlad merged 1 commit intotemporalio:mainfrom
simvlad:simvlad/cloud-provider-auth

Conversation

@simvlad
Copy link
Copy Markdown
Contributor

@simvlad simvlad commented Apr 8, 2026

What changed?

Add a passwordCommand config option for SQL datastores that executes an external command to fetch the database password instead of using a static password field. When configured, each new physical database connection re-executes the command to get a fresh credential via RefreshingConnector, enabling short-lived tokens (e.g. cloud IAM tokens) to be used as database passwords. Supported for MySQL, PostgreSQL (both pgx and pq drivers).

Why?

Cloud-managed databases (e.g. AWS RDS, GCP Cloud SQL) authenticate using short-lived IAM tokens rather than static passwords. There was no way to integrate an external credential source into Temporal's SQL config without forking the code. passwordCommand lets operators plug in any token-fetching tool (e.g. aws rds generate-db-auth-token) via config.

This approach is vendor-agnostic: any command that writes a password to stdout works, with no SDK dependencies or provider-specific code in Temporal.

How did you test it?

  • built
  • run locally and tested manually
  • covered by existing tests
  • added new unit test(s)
  • added new functional test(s)

Tested with GCP, setting up a Postgres database and using it for the server backend

Potential risks

  • passwordCommand executes an arbitrary external command. Misconfiguration will cause connection failures
  • If the command is slow or hangs, connection pool growth will stall until the timeout (default 30s) fires.
  • Token expiry must be managed by the operator via MaxConnLifetime, there is no built-in mechanism to detect or handle expired credentials on existing connections. Richer integration (e.g. parsing expiry from the command output and automatically setting connection lifetime) is possible but intentionally omitted here as it would be vendor-specific. The good news, is that most cloud APIs return tokens with a known, fixed TTL (e.g. 15 minutes for AWS RDS, 1 hour for GCP Cloud SQL).

@simvlad simvlad requested review from a team as code owners April 8, 2026 23:36
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8de94ce5c9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread common/persistence/sql/sqlplugin/postgresql/session/session.go
yycptt
yycptt reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@yycptt yycptt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmm RefreshingConnector implementation is not committed?

Comment thread common/config/persistence.go
@simvlad simvlad force-pushed the simvlad/cloud-provider-auth branch 2 times, most recently from 824b111 to 922a2d0 Compare April 14, 2026 16:49
@simvlad
Copy link
Copy Markdown
Contributor Author

simvlad commented Apr 14, 2026

Ugh, committed

@simvlad simvlad requested a review from yycptt April 14, 2026 16:50
@simvlad simvlad force-pushed the simvlad/cloud-provider-auth branch from 922a2d0 to c5b2507 Compare April 14, 2026 17:18
@simvlad simvlad force-pushed the simvlad/cloud-provider-auth branch from c5b2507 to 2a95572 Compare April 15, 2026 03:56
@simvlad simvlad merged commit 8e6e905 into temporalio:main Apr 15, 2026
114 of 118 checks passed
This was referenced Apr 23, 2026
Closed
Closed
@prathyushpv prathyushpv mentioned this pull request Apr 24, 2026
Merged
prathyushpv added a commit that referenced this pull request Apr 25, 2026
@prathyushpv @simvlad
Cherry-pick: Add passwordCommand option for SQL datastore credentials (
ba8026b 
…#9879) (#10062)

Cherry-pick of #9879 into `release/v1.31.x` for the v1.31.0 minor
release.

Original PR: #9879

Clean cherry-pick (no conflicts).

Co-authored-by: Vladyslav Simonenko <vlad.simonenko@temporal.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@yycptt yycptt yycptt approved these changes

Assignees

No one assigned

Labels

release/1.31.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simvlad @yycptt