I want my postgres functions to be able to access environment variables for things like keys for cryptographic signatures. When I run postgres locally I’m able to pass environment variables with the -c
flag, which can be consumed inside postgres functions with the current_setting
function.
Since these are cryptographic keys, ideally they would not be stored in the database itself.
Is there a way to accomplish this with digitalocean’s managed postgres service?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hey Eddie,
When using DigitalOcean’s Managed PostgreSQL service, you’re working within a managed environment that doesn’t provide direct access to the underlying server configuration, including the ability to set environment variables in the traditional way (like you would on a local PostgreSQL installation). This limitation is primarily for security and stability reasons, as the service is designed to abstract away many of the server management details.
The best thing to do to get your voice heard regarding this would be to head over to our Product Ideas board and post a new idea, including as much information as possible for what you’d like to see implemented.
However, here are some alternative approaches you can consider:
1. Encrypted Configuration Table
While storing keys directly in the database is not ideal, you can create a dedicated configuration table with encrypted values. This method allows you to use PostgreSQL’s built-in encryption functions to secure the keys. Your functions can then decrypt these values at runtime.
2. External Secrets Manager
Utilize an external secrets management service like the DigitalOcean’s App Platform environment variables (if your application is hosted on the App Platform).
Your application retrieves the necessary keys from the App Platform secrets manager and then passes them to the PostgreSQL functions as parameters.
3. Application-Level Management
Handle the cryptographic operations within your application code rather than in PostgreSQL functions. This way, you can leverage your application’s existing environment variables or configuration files to manage the keys.
Each of these approaches has its trade-offs. The best solution depends on your application architecture, security requirements, and operational preferences. Unfortunately, due to the managed nature of DigitalOcean’s PostgreSQL offering, there’s no direct way to set environment variables as you would in a self-managed PostgreSQL setup where you have full access to the server.
Hope that helps!
- Bobby.