Prisma•7mo ago

db credentials

We’re building a secure Node.js/NestJS application using Prisma ORM with SQL Server as the backend. Due to our organization's security classification (similar to BIV2/BIV3), we are not allowed to store database credentials (username/password) in configuration files or environment variables.

3 Replies

Prisma AI Help•7mo ago

You've gone full bot mode! Let me fetch that AI answer for you ASAP. Prisma ORM does not natively support fetching database credentials directly from external secret managers (like AWS Secrets Manager or Azure KeyVault) within the schema.prisma file or at migration time. The standard and recommended approach is to use environment variables for the database connection string, as shown below:

datasource db {
  provider = "sqlserver"
  url      = env("DATABASE_URL")
}

datasource db {
  provider = "sqlserver"
  url      = env("DATABASE_URL")
}

And in your .env file:

DATABASE_URL="sqlserver://user:password@host:port;database=dbname"

DATABASE_URL="sqlserver://user:password@host:port;database=dbname"

However, your security requirements prohibit storing credentials in config files or environment variables. This is a common challenge, and many users have requested native support for secret managers, but as of now, Prisma does not offer this feature out of the box [Support for AWS Secrets Manager or Azure KeyVault in schema.prisma]. Workarounds: - Programmatic Instantiation: You can instantiate PrismaClient in your application code and programmatically fetch credentials from a secret manager at runtime, then pass the connection string directly:

    import { PrismaClient } from '@prisma/client';
    const dbUrl = await getDbUrlFromSecretManager(); // implement this securely
    const prisma = new PrismaClient({
      datasources: { db: { url: dbUrl } }
    });

    import { PrismaClient } from '@prisma/client';
    const dbUrl = await getDbUrlFromSecretManager(); // implement this securely
    const prisma = new PrismaClient({
      datasources: { db: { url: dbUrl } }
    });

This approach is widely used in the community for secure environments [discussion]. - Migrations: For migrations, you must still provide the connection string via an environment variable or .env file. Some teams use scripts to fetch secrets and set the environment variable just-in-time before running Prisma CLI commands [example]. Summary:
Prisma does not yet support direct secret manager integration for credentials. The best practice is to fetch credentials at runtime in your application code a nd pass them to PrismaClient. For CLI tools, use wrapper scripts to inject secrets into environment variables at execution time. This is a known limitation and a frequently requested feature. 🤔 Alright, thanks for letting us know that there's still some help needed. A team member will reply to you shortly. In the meantime, please let us know any additional info, questions, or which parts of the answer may need clarification.

JLOP•7mo ago

Nurul•7mo ago

What do you use for secrets management then?

Gaming

Programming

db credentials

Did you find this page helpful?