Any way to hide database migration passwords from the main app?

I’ve set up my main webserver to use a Postgres role that only has permission to make the database changes that it really needs to make. Those permissions aren’t enough to create tables, but of course the database migration script that runs via release_command during deployment does need to be able to create tables.

It’s straightforward to define a DB_MIGRATE_DATABASE_URL secret in the app and use that in the release_command, but then that secret stays available while the main webserver is running. Similarly, I can set a --build-secret for use inside the Dockerfile, but the only way to pass that to the release_command seems to be to write it somewhere in the image, which is also available to the main webserver.

Is there any way to give an extra secret to just the release_command?

(It’s possible that I’m just being overcautious here, and if an attacker manages to get into the webserver, I need to treat them as having full access to the database even if they theoretically didn’t have that password.)

1 Like