Database credentials should never be stored in config files. Use environment variables or a secrets directory instead.
Set the following environment variables:
export DJ_HOST=db.example.com
export DJ_USER=alice
export DJ_PASS=secretThese take priority over all other configuration sources.
Create a .secrets/ directory next to your datajoint.json:
myproject/
├── datajoint.json
└── .secrets/
├── database.user # Contains: alice
└── database.password # Contains: secret
Each file contains a single secret value (no JSON, just the raw value).
Add .secrets/ to your .gitignore:
# .gitignore
.secrets/
Mount secrets at /run/secrets/datajoint/:
# docker-compose.yml
services:
app:
volumes:
- ./secrets:/run/secrets/datajoint:roIf credentials are not provided via environment variables or secrets, DataJoint will prompt for them when connecting:
>>> import datajoint as dj
>>> dj.conn()
Please enter DataJoint username: alice
Please enter DataJoint password:You can also set credentials in Python (useful for testing):
import datajoint as dj
dj.config.database.user = "alice"
dj.config.database.password = "secret"Note that password uses SecretStr internally, so it will be masked in logs and repr output.
To change your database password, use your database's native tools:
ALTER USER 'alice'@'%' IDENTIFIED BY 'new_password';Then update your environment variables or secrets file accordingly.