Understanding EdgeDB Password Management

Question

I have a containerized setup with PostgreSQL in one container and EdgeDB in another, with EdgeDB connecting to the remote PostgreSQL instance. Initially, the EdgeDB password was set using the EDGEDB_SERVER_PASSWORD environment variable defined in a .env file.

To apply schema migrations and update the EdgeDB password, I've been restarting the EdgeDB container with the updated password in the EDGEDB_SERVER_PASSWORD and new migration files. However, the password change does not take effect. I've also tried using EDGEDB_SERVER_BOOTSTRAP_COMMAND to alter the password, but this also does not work, does not give any warnings or errors.

I need help in understanding the expected behavior of EDGEDB_SERVER_PASSWORD and EDGEDB_SERVER_BOOTSTRAP_COMMAND within the context of my containerized EdgeDB setup. I'm particularly interested in understanding how can I rotate the edgedb server password periodically.

Files to reproduce the issue:

Docker file:

services:
  postgres:
    image: postgres:15
    container_name: postgres
    environment:
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    ports:
      - "5432:5432"
    volumes:
      - pgdata:/var/lib/postgresql/data
    networks:
      custom_network:
        ipv4_address: 172.1.1.10

  edgedb:
    image: edgedb/edgedb:latest
    depends_on:
      - postgres
    environment:
      EDGEDB_SERVER_BACKEND_DSN: ${EDGEDB_SERVER_BACKEND_DSN}
      EDGEDB_SERVER_USER: ${EDGEDB_SERVER_USER}
      EDGEDB_SERVER_PASSWORD: ${EDGEDB_SERVER_PASSWORD}
      EDGEDB_SERVER_DEFAULT_BRANCH: ${EDGEDB_SERVER_DEFAULT_BRANCH}
      EDGEDB_SERVER_TLS_CERT: ${EDGEDB_SERVER_TLS_CERT}
      EDGEDB_SERVER_TLS_KEY: ${EDGEDB_SERVER_TLS_KEY}
      EDGEDB_SERVER_TLS_CERT_MODE: "require_file"
      EDGEDB_LOCAL_DSN: ${EDGEDB_LOCAL_DSN}
      EDGEDB_SERVER_BOOTSTRAP_COMMAND: ${EDGEDB_SERVER_BOOTSTRAP_COMMAND}
      # EDGEDB_SERVER_BOOTSTRAP_COMMAND: "ALTER ROLE projectid SET password := 'SPIY_xH2RSfL9lBdd'"
      EDGEDB_SERVER_LOG_LEVEL: "debug"
    ports:
      - "5656:5656"
    volumes:
      - edgedb_data:/var/lib/edgedb/data
    networks:
      custom_network:
        ipv4_address: 172.1.1.20

volumes:
  pgdata:
  edgedb_data:

networks:
  custom_network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.1.1.0/24

ENV File

POSTGRES_PASSWORD="9fjzoJsIIPoerQFr"
EDGEDB_SERVER_PASSWORD="48abXQXQAMZ8D9RK"
EDGEDB_SERVER_TLS_CERT="-----BEGIN CERTIFICATE-----\nMIIDdDCCAlygAwIBAgIUaXjrqRVgfvpOsyvI6O69ZV6mPBUwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlROMRAwDgYDVQQHDAdDaGVubmFp\nMRAwDgYDVQQKDAdFeGFtcGxlMQ8wDQYDVQQLDAZzYW1wbGUxFDASBgNVBAMMC2V4\nYW1wbGUuY29tMCAXDTI1MDExNzEyMjcwNFoYDzIxMjQxMjI0MTIyNzA0WjBlMQsw\nCQYDVQQGEwJJTjELMAkGA1UECAwCVE4xEDAOBgNVBAcMB0NoZW5uYWkxEDAOBgNV\nBAoMB0V4YW1wbGUxDzANBgNVBAsMBnNhbXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5j\nb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjniLWO5HfpdJ5GIB1\nyA9CBY9tT5qPqNIDB2A2yGajZq5bbtS3awBm2eYYrhwpeuubwq6k/kNddiG3lQP6\nCzBFhx+XX+XI7Pfcz8Qu9Q/bM6XoiNwGNNavXKr8p3CINpSdp2y2fUD+gKBOC8t5\nOkM+NYtr43HEf4DXVA5dIoXceYfo0huG51Ft7IVuAq2b5/NCXzC2Kq1I2koauFgm\nNy6iKJSpcdePk9/Cm41ioWulauf1Maut3NN7Grhh7tMH5FtZoM9Hq8U46Pd5qVD0\nYUuIjc/1fUG4VCngbyu/b+uVZYf4MRTqjfma/Ixhn7IDYvZOfidA5L5AsGRaOtOr\nflZ5AgMBAAGjGjAYMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEB\nCwUAA4IBAQA6ySKmb13qoTcIl88cjAWpUTPu4Drf+H2aoXpwrha0YEyZxfmbK2J5\nF7WcOjJga0i8PQJQbPSXc7YbBwHxZXY46Kc+3C4SKrIKJD6PVKbyIpI9sLqRP0Iw\nD7T5LR0LHA6psioFfgDx4dR2oqY11cFQHrRM57BeQtIvSxE5WWLUysM98WDsnA/g\n9op5Nqe0RxLKNW7QPwLy2oBP32gltfsiUt9WHGmPJwH8IUdtTrs3QJ7+HKX2eptg\npVFtFyx56mx4/Kh54Q5HASnaYCOeG7FnB/o3cEIYDaEvqG1zHv9mkK4zO57myDhj\nB68fOuYGsNFgT32hY15qV5sohsj2HxoP\n-----END CERTIFICATE-----\n"
EDGEDB_SERVER_TLS_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAo54i1juR36XSeRiAdcgPQgWPbU+aj6jSAwdgNshmo2auW27U\nt2sAZtnmGK4cKXrrm8KupP5DXXYht5UD+gswRYcfl1/lyOz33M/ELvUP2zOl6Ijc\nBjTWr1yq/KdwiDaUnadstn1A/oCgTgvLeTpDPjWLa+NxxH+A11QOXSKF3HmH6NIb\nhudRbeyFbgKtm+fzQl8wtiqtSNpKGrhYJjcuoiiUqXHXj5PfwpuNYqFrpWrn9TGr\nrdzTexq4Ye7TB+RbWaDPR6vFOOj3ealQ9GFLiI3P9X1BuFQp4G8rv2/rlWWH+DEU\n6o35mvyMYZ+yA2L2Tn4nQOS+QLBkWjrTq35WeQIDAQABAoIBADwcdYUKpqmphN2L\nhGqBQSXK4CpTVCAScHG/bHhEAP1oVIdv/QOT8rZWuKP5l4wfxl7X1Az3Ay3boECP\npUHgiXAJ2C/nggbjFJ8Rz+xGiXhJjdsUKO24zOTpYUJoi73ne4s+PwD+nHnELODv\nkWYs4xaAWoQdMCd2hpHVpl9ONyrL/w5mt12T0L1iGp2pBcmeNVb1COmCl7d2oUkM\nii/G55blspa3d8O8UVwHs/1Lbj4U1ZsDt+8idyr6IaeeQrOwt2x+UJXQnFWuUsxZ\nFnKDE7OVRB9GGzNB0PpVJXKUMBdsjwS66Ivr94r7rVez2SzJUamPPKKEidfGG6Lw\ngYHtVt8CgYEA01kghbTqGK+fWlm/Tgs/IhMWKMjc+W6VqQgbYi8H8D+uSeP5ZuU5\nnt07BzPVjpsZ6RymsD3stTmK57S3mE7pBHcAz9qDTXMvvXFcIXZ5XM59rbH8Pn+q\npIXXGTLIt7oPpFxirM8A+s6sCh6zFd4MTrmLzpA1ljth60LacTMqR/8CgYEAxi97\n79zEtnaZQNXdqN5CcxDG8h0//rxMExIYEJSKx2PEOAWsV49yUZs4nuycZR463L/k\nyenVWne1hXSdi9ZROInQ3lI9gJly5jtb82Aj+JYrKhP5mXaFW5wZOG4WzDeIPTcA\nfMHmFt1raRXYsQrSTydskCPxMfrbAGMiu88VoYcCgYBNDucLuR3NaGMqlyRoOTOI\nofrnXe0ryMUqfzk0wD8duqo6aLOrb5JluPXnt197AlQdKYQhKELhBJz/xGVYVBUj\nupwCLQLIv2G9qdJUpRS04Njz9rwosXWvTNlTZ6/FRUKkw8Z6iXMq/yW8/tp+85n7\nLi2qX+wZ3YbjN1ncAjK9UwKBgQCGVtmkFfoh1PK9SDsgpMhWRyEULU+b1PecVb+K\nPaZ00ePINdBE6i+LsbQHxkudH4i26jyjwaWl1U9uT0Yb7ALSWFkE2qpl6Z5BAiuq\nJZk8gE5yD2g55mUvW/icj8NUWrA3Dnl+F9Fn3l9YtD5WhAdbMFYevr5YKrsY4BpD\nRHRdMQKBgGhXvsmGlUPkNC5ZTkGwet2kJWifj8J97qhnLl4vGycuEHe08EZFN3yC\ntRD/Ch6CpJrdyN7oFaeZfdF0rLGXdcY1TmOp1enm/y3Mc2/3UjJnhs59G2r6m3Pj\nep17tw/UHsZAUv9tU4plXXGJ0y3X3uXgxuQO0SysVX7NVHoexyGU\n-----END RSA PRIVATE KEY-----\n"
POSTGRES_USER="projectid"
POSTGRES_DB="projectid"
EDGEDB_SERVER_USER="projectid"
EDGEDB_SERVER_DEFAULT_BRANCH="projectid"
EDGEDB_SERVER_BACKEND_DSN="postgres://projectid:9fjzoJsIIPoerQFr@postgres:5432/projectid"
EDGEDB_SERVER_BOOTSTRAP_COMMAND="CREATE SUPERUSER ROLE projectid {SET password := '48abXQXQAMZ8D9RD'};"
EDGEDB_LOCAL_DSN="edgedb://projectid:48abXQXQAMZ8D9RK@172.1.1.10/projectid"