Skip to content

Support separate datastore URIs for migrations and application #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ivanauth wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Support separate datastore URIs for migrations and application #397

ivanauth wants to merge 1 commit into from

Conversation

@ivanauth
Copy link

@ivanauth ivanauth commented Dec 9, 2025

Summary

Adds support for separate database connection strings for migrations versus normal SpiceDB operation.

Fixes #338

Motivation

Database migrations require elevated privileges (CREATE TABLE, DROP TABLE, ALTER TABLE) that the SpiceDB application shouldn't have during normal operation. This follows security best practices by allowing least-privilege credentials for the application.

Changes

  • Add migration_datastore_uri secret key support
  • When present, migration jobs use migration_datastore_uri instead of datastore_uri
  • SpiceDB application pods continue using datastore_uri
  • Add example and documentation in examples/separate-migration-datastore-uri/

Usage

apiVersion: v1
kind: Secret
metadata:
  name: spicedb-config
stringData:
  # Used by SpiceDB pods - limited privileges
  datastore_uri: "postgresql://app_user:pass@postgres:5432/spicedb"
  
  # Used by migration jobs - elevated privileges
  migration_datastore_uri: "postgresql://admin_user:pass@postgres:5432/spicedb"
  
  preshared_key: "secret"

@ivanauth ivanauth force-pushed the fix/issue-338-separate-datastore-uris branch from 0a9e72f to b5c49fc Compare December 13, 2025 01:42
@ivanauth
Support separate datastore URIs for migrations
c8d5eea 
- Add support for migration_datastore_uri in secret
- Migration jobs will use migration_datastore_uri if present
- Application pods continue to use datastore_uri
- Add tests for migration datastore URI functionality
- Add example showing how to use separate credentials

This allows using elevated database privileges for migrations
while running the application with least-privilege credentials.

Fixes authzed#338
@ivanauth ivanauth force-pushed the fix/issue-338-separate-datastore-uris branch from b5c49fc to c8d5eea Compare December 13, 2025 02:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Support separate datastore_uris for migrations and application access

1 participant

@ivanauth