zama-ai · antoniupop · Apr 2, 2026 · Apr 8, 2026 · Apr 10, 2026
@@ -1,6 +1,6 @@
 name: coprocessor
 description: A helm chart to distribute and deploy Zama fhevm Co-Processor services
-version: 0.9.0
+version: 0.9.1
 apiVersion: v2
 keywords:
   - fhevm

@@ -37,3 +37,27 @@
 {{- $snsWorkerNameDefault := printf "%s-%s" .Release.Name "sns-worker" }}
 {{- default $snsWorkerNameDefault .Values.snsWorker.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{- define "coprocessorDatabaseAuthMode" -}}
+{{- $authMode := default "password" .Values.commonConfig.database.authMode -}}
+{{- if not (or (eq $authMode "password") (eq $authMode "iam")) -}}
+{{- fail (printf "commonConfig.database.authMode must be either \"password\" or \"iam\", got %q" $authMode) -}}
+{{- end -}}
+{{- $authMode -}}
+{{- end -}}
+
+{{- define "coprocessorDatabaseEnv" -}}
+{{- $authMode := include "coprocessorDatabaseAuthMode" . -}}
+- name: DATABASE_URL
+  value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- if eq $authMode "iam" }}
+- name: DATABASE_IAM_AUTH_ENABLED
+  value: "true"
+{{- if .Values.commonConfig.database.iam.region }}
+- name: DATABASE_IAM_REGION
+  value: {{ .Values.commonConfig.database.iam.region | quote }}
+{{- end }}
+- name: DATABASE_SSL_ROOT_CERT_PATH
+  value: {{ required "commonConfig.database.iam.sslRootCertPath is required when authMode=iam" .Values.commonConfig.database.iam.sslRootCertPath | quote }}
+{{- end }}
+{{- end -}}
@@ -42,8 +42,7 @@ spec:
         image: {{ .Values.dbMigration.image.name }}:{{ .Values.dbMigration.image.tag }}
         command: ["/initialize_db.sh"]
         env:
-          - name: DATABASE_URL
-            value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 10 }}
         {{- with .Values.commonConfig.env }}
           {{- toYaml . | nindent 10 }}
         {{- end }}

@@ -74,8 +74,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            - name: DATABASE_URL
-              value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 12 }}
             - name: GATEWAY_URL
               value: {{ .Values.commonConfig.gatewayUrl | quote }}
             - name: INPUT_VERIFICATION_ADDRESS

@@ -73,8 +73,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            - name: DATABASE_URL
-              value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 12 }}
             - name: ETHEREUM_RPC_URL
               value: {{ .Values.commonConfig.hostChainWsUrl | quote }}
             - name: ACL_CONTRACT_ADDRESS

@@ -67,8 +67,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            - name: DATABASE_URL
-              value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 12 }}
             - name: ETHEREUM_RPC_URL
               value: {{ .Values.commonConfig.hostChainWsUrl | quote }}
             - name: ACL_CONTRACT_ADDRESS

@@ -71,8 +71,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            - name: DATABASE_URL
-              value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 12 }}
             - name: ETHEREUM_RPC_HTTP_URL
               value: {{ .Values.commonConfig.hostChainHttpUrl | quote }}
             - name: ACL_CONTRACT_ADDRESS

@@ -1,4 +1,5 @@
 {{- if .Values.config.enabled }}
+{{- $databaseAuthMode := include "coprocessorDatabaseAuthMode" . -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -21,12 +22,14 @@ data:
     else
       echo "skipping: secret ${COPROCESSOR_KEY_SECRET_NAME} already exists" 2>&1
     fi
-    DATABASE_SECRET_NAME="{{ .Values.config.database.secret.name }}"
-    DATABASE_SECRET_KEY="{{ .Values.config.database.secret.key }}"
-    if ! kubectl get secret ${DATABASE_SECRET_NAME}; then
-      DATABASE_SECRET_VALUE="{{ .Values.config.database.secret.value }}"
-      kubectl create secret generic ${DATABASE_SECRET_NAME} --from-literal ${DATABASE_SECRET_KEY}=${DATABASE_SECRET_VALUE}
-    else
-      echo "skipping: secret ${DATABASE_SECRET_NAME} already exists" 2>&1
+    if [ "{{ $databaseAuthMode }}" = "password" ]; then
+      DATABASE_SECRET_NAME="{{ .Values.config.database.secret.name }}"
+      DATABASE_SECRET_KEY="{{ .Values.config.database.secret.key }}"
+      if ! kubectl get secret ${DATABASE_SECRET_NAME}; then
+        DATABASE_SECRET_VALUE="{{ .Values.config.database.secret.value }}"
+        kubectl create secret generic ${DATABASE_SECRET_NAME} --from-literal ${DATABASE_SECRET_KEY}=${DATABASE_SECRET_VALUE}
+      else
+        echo "skipping: secret ${DATABASE_SECRET_NAME} already exists" 2>&1
+      fi
     fi
-{{- end }}
+{{- end }}
@@ -83,8 +83,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            - name: DATABASE_URL
-              value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 12 }}
             - name: S3_BUCKET_NAME
               value: {{ .Values.snsWorker.config.s3BucketName | quote }}
           {{- if default .Values.commonConfig.tracing.enabled .Values.snsWorker.tracing.enabled }}

@@ -74,8 +74,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            - name: DATABASE_URL
-              value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 12 }}
             - name: ACL_CONTRACT_ADDRESS
               value: {{ .Values.commonConfig.aclContractAddress | quote }}
           {{- if default .Values.commonConfig.tracing.enabled .Values.tfheWorker.tracing.enabled }}

@@ -98,8 +98,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            - name: DATABASE_URL
-              value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 12 }}
             - name: GATEWAY_URL
               value: {{ .Values.commonConfig.gatewayUrl | quote }}
             - name: INPUT_VERIFICATION_ADDRESS

@@ -64,8 +64,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           env:
-            - name: DATABASE_URL
-              value: {{ .Values.commonConfig.databaseUrl | quote }}
+{{- include "coprocessorDatabaseEnv" . | nindent 12 }}
           {{- if default .Values.commonConfig.tracing.enabled .Values.zkProofWorker.tracing.enabled }}
             - name: OTEL_EXPORTER_OTLP_ENDPOINT
               value: {{ .Values.commonConfig.tracing.endpoint | quote }}

@@ -21,6 +21,20 @@ commonConfig:
   # Can use $(VAR_NAME) syntax to reference variables from commonConfig.env
   databaseUrl: "postgresql://postgres:postgres@postgresql:5432/coprocessor"
 
+  # Database authentication mode
+  database:
+    # `password` uses databaseUrl as-is (credentials embedded or via env).
+    # `iam` keeps databaseUrl passwordless and resolves short-lived IAM tokens
+    # at runtime using the pod's AWS identity.
+    authMode: password
+    iam:
+      # Optional when authMode=iam. If unset, the AWS SDK resolves the region
+      # from the environment (e.g. AWS_REGION set by IRSA). Set this only when
+      # connecting to a database in a different region.
+      region: ""
+      # Required when authMode=iam. The runtime enforces verify-full TLS.
+      sslRootCertPath: ""
+
   # Host chain configuration
   hostChainWsUrl: "ws://ethereum-node:8546"
   hostChainHttpUrl: "http://ethereum-node:8545"
@@ -88,11 +102,27 @@ config:
 
   # Database connection configuration
   database:
+    # `password` keeps the historical secret-backed DATABASE_URL.
+    # `iam` expects a passwordless PostgreSQL URL and resolves short-lived
+    # IAM tokens at runtime using the pod's AWS identity.
+    authMode: password
+
     secret:
       name: coprocessor-db-url
       key: coprocessor-db-url
       value: "postgresql://postgres:postgres@postgresql:5432/coprocessor"
 
+    iam:
+      # Example:
+      # postgresql://coprocessor@my-db.cluster-xyz.eu-west-2.rds.amazonaws.com:5432/coprocessor
+      url: ""
+      # Optional. If unset, the AWS SDK resolves the region from the
+      # environment (e.g. AWS_REGION set by IRSA). Set this only when
+      # connecting to a database in a different region.
+      region: ""
+      # Required when authMode=iam. The runtime enforces verify-full TLS.
+      sslRootCertPath: ""
+
   # Helm hook annotations for deployment ordering
   annotations:
     # "helm.sh/hook": "pre-install"

@@ -108,6 +108,12 @@ Options:
 
 For more details on configuration, please check [Coprocessor Configuration](docs/getting_started/fhevm/coprocessor/configuration.md)
 
+For AWS RDS/PostgreSQL IAM authentication, keep `DATABASE_URL` passwordless, for example
+`postgresql://coprocessor@my-db.cluster-xyz.eu-west-2.rds.amazonaws.com:5432/coprocessor`,
+and set `DATABASE_IAM_AUTH_ENABLED=true`. `DATABASE_IAM_REGION` and
+`DATABASE_SSL_ROOT_CERT_PATH` should also be set so the runtime can sign tokens for the correct
+region and enforce `verify-full` TLS with the expected CA bundle.
+
 ##### host-listener
 
 ```bash

@@ -47,3 +47,14 @@ Note that there are two thread pools in the Coprocessor backend:
 The tokio one (set via `--tokio-threads`) determines how many tokio threads are spawned. These threads are used for async tasks and should not be blocked.
 
 The FHE compute threads are the ones that actually run the FHE computation (set via `--coprocessor-fhe-threads`).
+
+#### RDS IAM Authentication
+
+When using AWS RDS/PostgreSQL IAM database authentication, `DATABASE_URL` should not contain a
+password. Use a URL such as
+`postgresql://coprocessor@my-db.cluster-xyz.eu-west-2.rds.amazonaws.com:5432/coprocessor` and
+set `DATABASE_IAM_AUTH_ENABLED=true`. The runtime will fetch AWS credentials from the default
+provider chain, generate 15-minute IAM tokens automatically, and refresh pooled connections before
+they expire. Set `DATABASE_IAM_REGION` and `DATABASE_SSL_ROOT_CERT_PATH` as well: the former pins
+token signing to the correct AWS region, and the latter is required for `verify-full` TLS against
+the RDS endpoint.