Function as password

[varnerac]

Would you accept a PR that allows the password to be a zero-arity function? There are a few use cases for it. One example is pulling the password from a secrets store. Another is using token that is regenerated after a period of time, like AWS IAM authentication in Postgres RDS

[tsloughter]

Hey, sorry I hadn't replied to this yet! I keep going back and forth on whether this is ok. The latter case certainly can't be solved by other options like an environment variable populated from the secrets store... But would the password then have to be re-evaluated after every disconnect? Not necessarily bad if that is what the requirement for getting these tokens is.

And should it really be zero arity and not pass the database name, uri, etc?

[tsloughter]

If it weren't for the latter case I'd suggest starting the pool manually instead of through pgo application startup, but that doesn't help if you need it to get a new password when it tries to reconnect.

[varnerac]

I don’t think the fun to retrieve the credential would necessarily need the DB URI, etc. I figured it’s better to use a zero arity fun because you can wrap whatever values you need in a zero arity fun. In the case of IAM, the common case is pulling the credential from your EC2 instance. I haven’t dug too deep, but I don’t think that credential is tied to the DB. It’s tied to the EC2 instance. You wouldn’t use the DB URI.

You’ll definitely eat the cost of the function for every new connection. But, it’s a pool so we amortize the credential retrieval cost over the life of the connection in the pool.