Hey @jonapgartwohat 👋
Did the above setup work? If so, could you share a sample code that you have used with IAM auth?

Yes it did, although still building out some tests for error handling/disconnects etc. The expiry promise sent here is for the factory function to know when to pre-emptively disconnect/reconnect. DB_TOKEN_EXPIRY_SECONDS should be set to something less than the actual token expiry time for RDS (which I believe is 15 minutes).

import { PrismaClientOptions } from '@prisma/client'
import { RDS } from 'aws-sdk'
//...
async function generate(): Promise<{ prismaOptions: PrismaClientOptions; expiry?: Promise<void> }> {
 
    let password: string
    let expiry: Promise<void> | undefined
    if (!DB_PASSWORD) {
      password = await generateRdsPassword({
        credentials: {
          accessKeyId: AWS_ACCESS_KEY,
          secretAccessKey: AWS_SECRET_KEY,
        },
        region: DB_REGION,
        hostname: DB_HOST,
        username: DB_USER,
        port: DB_PORT,
      })
      expiry = new Promise(res => setTimeout(res, parseInt(DB_TOKEN_EXPIRY_SECONDS, 10) * 1000))
    } else {
      password = DB_PASSWORD
    }

    const url = new URL(`postgresql://${DB_HOST}:${DB_PORT}/${DB_DATABASE}`)
    url.username = DB_USER
    url.password = password
    url.search = new URLSearchParams({
      schema: DB_SCHEMA,
      connection_timeout: DB_CONNECTION_TIMEOUT,
      socket_timeout: DB_QUERY_TIMEOUT,
      connection_limit: DB_MAX_CONNECTIONS,
      ...(RDS_ROOT_CERT_PATH
        ? {
            sslmode: 'verify-full',
            sslrootcert: RDS_ROOT_CERT_PATH,
          }
        : undefined),
    }).toString()

    return {
      prismaOptions: {
        datasources: {
          db: {
            url: url.toString(),
          },
        },
      },
      expiry,
    }
  }

//... 
function generateRdsPassword(options: RDS.Signer.SignerOptions): Promise<string> {
  //TODO cache signer?
  const signer = new RDS.Signer(options)
  return new Promise((res, rej) => {
    signer.getAuthToken(options, (err, token) => {
      err ? rej(err) : res(token)
    })
  })
}

You don't really need to disconnect though, right? Only the password expires, not the open connections.

Is there a way to use a different password only when a new connection is needed for the pool?

I don't think this will matter as these requests would fail anyway due to an expired token.

If there are existing active connections in the connection pool, the requests will succeed. The way that RDS with IAM works is that only the token expires. The connections, once created, do not expire when the token expires.

Token expiration only affects the ability to create new connections to the database.

Currently a disconnect is required because there isn't any mechanism that will update the same connection with the new token. We will be looking into the request you opened and think of a better way of managing this.

Great, thanks for the information.

Whats the current state of this strategy? using @prisma/client": "^3.11.1 and I'm getting this error even when calling disconnect

warn(prisma-client) There are already 10 instances of Prisma Client actively running.

I'm also trying to use IAM auth using code that tries to create the initial prisma client then on setInterva disconnect, get a new token and reconnect but it looks like it just piles up new Prisma clients rather than reusing the existing one with a new connection string.

let prisma;
const generateClient = async (server, options) => {
  const signer = new RDS.Signer({
    // configure options
    region: 'us-east-1',
    username: 'iam_user',
    hostname: 'db',
    port: 5432,
  });
  const token = signer.getAuthToken();
  prisma = new PrismaClient({
    datasources: {
      db: {
        url: `postgresql://iam_user:${encodeURIComponent(
          token
        )}@db:5432/test?schema=public`,
      },
    },
    log: ['query', 'info', 'warn', 'error'],
  });

  setInterval(async () => {
    await prisma.$disconnect();
    const token = signer.getAuthToken();
    prisma = new PrismaClient({
      datasources: {
        db: {
          url: `postgresql://iam_user:${encodeURIComponent(
            token
          )}@db/test?schema=public`,
        },
      },
      log: ['query', 'info', 'warn', 'error'],
    });
  }, 2000);

  await prisma.$connect();
};
generateClient();

module.exports = prisma;

@ThrowsException 👋

The solution in this case is to instantiate a single instance PrismaClient and save it on the global object and then keeping a check to only instantiate PrismaClient if it's not on the global object otherwise using the same instance again if already present to prevent instantiating extra PrismaClient instances.

Here's the Help Article which discusses the solution to this error.

@nurul3101 Thanks for the suggestion but this still doesn't appear to be a solution for IAM. Even using global object i'm still getting the above error message. It seems no matter what calling new PrismaClient in the setInterval when I need to refresh the iam auth token results in more connections being opened even if I call $disconnect. Not exactly sure what I'm doing wrong there.