From 9388ef66d079f6edb8c3c18b797ba510267e3807 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nuno=20G=C3=B3is?= <github@nunogois.com>
Date: Thu, 4 Sep 2025 14:01:27 +0100
Subject: [PATCH] chore: IAM auth username env var takes precedence (#10618)

---
 src/lib/db/aws-iam.ts | 2 +-
 src/lib/db/db-pool.ts | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/lib/db/aws-iam.ts b/src/lib/db/aws-iam.ts
index 143c4d8ac0..03da0e57a9 100644
--- a/src/lib/db/aws-iam.ts
+++ b/src/lib/db/aws-iam.ts
@@ -14,7 +14,7 @@ export const getDBPasswordResolver = (db: IDBOption): PasswordResolver => {
             region: db.awsRegion,
             hostname: db.host,
             port: db.port,
-            username: db.user,
+            username: process.env.DATABASE_USERNAME || db.user,
         });
         return async () => {
             console.log('[AWS RDS SIGNER] Getting token...');
diff --git a/src/lib/db/db-pool.ts b/src/lib/db/db-pool.ts
index 92b7058354..16e32275dc 100644
--- a/src/lib/db/db-pool.ts
+++ b/src/lib/db/db-pool.ts
@@ -11,14 +11,18 @@ export function createDb({
     const logger = getLogger('db-pool.js');
 
     logger.info(
-        `createDb: iam=${Boolean(db.awsIamAuth)} host=${db.host} port=${db.port} db=${db.database} user=${db.user} ssl=${Boolean(db.ssl)}`,
+        `createDb: iam=${Boolean(db.awsIamAuth)} host=${db.host} port=${db.port} db=${db.database} user=${process.env.DATABASE_USERNAME || db.user} ssl=${Boolean(db.ssl)}`,
     );
 
+    const { password, ...logDb } = db;
+    logger.info(`createDb (DB): ${JSON.stringify(logDb, undefined, 2)}`);
+
     return knex({
         client: 'pg',
         version: db.version,
         connection: {
             ...db,
+            user: process.env.DATABASE_USERNAME || db.user,
             application_name: db.applicationName,
             password: getDBPasswordResolver(db),
         },