Problem

When connecting to AWS RDS using IAM authentication, a token is generated that is used as the password for new connections. This token expires after 15 minutes. After that, the token can no longer be used to create new connections.

Existing connections are still valid.

With Prisma, it seems like connection settings including the password must be static, and can not be altered after the PrismaClient has been created.

Suggested solution

With Knex, the connection settings do not need to be static. An async function can also be passed in that will provide the connection settings when called. This can include an expiration checker that is called when a new connection is created. If the settings are expired, the connection settings provider can be called again to update the connection settings.

This should not close existing connections in the pool. It should only affect the settings of new connections that are created.

It might look like this in Prisma.

export prisma = new PrismaClient({dataSources: { db: generateConnectionSettings }})

async function generateConnectionSettings(){
    const token = await getIAMToken(auth)
    const expiresAt = Date.now() + 840000 // Expires in 14 minutes 
    return {
       url: <connection string with generated token>,
       expirationChecker: () => {
          return expiresAt <= Date.now()
       }
   }
}

Alternatives

We are currently creating a new PrismaClient for every http request, but this is only possible because we have an internal only tool with very low request volume. This is very wasteful.

Additional context

#4147