neondatabase · tristan957 · Nov 26, 2025 · tristan957 · Dec 2, 2025
diff --git a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
@@ -150,7 +150,6 @@ libpqrcv_connect(const char *conninfo, bool replication, bool logical,
 /* BEGIN_NEON */
 	const char *keys[7];
 	const char *vals[7];
-	char * neon_auth_token = NULL;
 /* END_NEON */
 	int			i = 0;
 
@@ -212,16 +211,14 @@ libpqrcv_connect(const char *conninfo, bool replication, bool logical,
 /* BEGIN_NEON */
 	if (pg_strcasecmp(appname, "walreceiver") == 0)
 	{
-		neon_auth_token = getenv("NEON_AUTH_TOKEN");
-		if (neon_auth_token != NULL)
+		if (neon_storage_auth_token[0] != '\0')
 		{
-			elog(LOG, "Use NEON_AUTH_TOKEN to connect");
 			keys[++i] = "password";
-			vals[i] = neon_auth_token;
+			vals[i] = neon_storage_auth_token;
 		}
 		else
 		{
-			elog(LOG, "NEON_AUTH_TOKEN is undefined in the environment");
+			elog(LOG, "no storage authentication token set");
 		}
 	}
 /* END_NEON */

diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c
@@ -88,6 +88,7 @@
 int			wal_receiver_status_interval;
 int			wal_receiver_timeout;
 bool		hot_standby_feedback;
+char	   *neon_storage_auth_token;
 
 /* libpqwalreceiver connection */
 static WalReceiverConn *wrconn = NULL;
@@ -1392,6 +1393,22 @@ WalRcvGetStateString(WalRcvState state)
 	return "UNKNOWN";
 }
 
+/*
+ * We currently grant the privileged role pg_monitor, which implies
+ * pg_read_all_settings. Until we fix that, let's just redact the content unless
+ * the user requesting the value is a superuser.
+ *
+ * See: https://databricks.atlassian.net/browse/LKB-7128
+ */
+const char *
+show_neon_storage_auth_token(void)
+{
+	if (superuser())
+		return neon_storage_auth_token;
+
+	return "**********";
+}
+
 /*
  * Returns activity of WAL receiver, including pid, state and xlog locations
  * received from the WAL sender of another server.

diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
@@ -77,6 +77,7 @@
 #include "replication/slot.h"
 #include "replication/slotsync.h"
 #include "replication/syncrep.h"
+#include "replication/walreceiver.h"
 #include "storage/aio.h"
 #include "storage/bufmgr.h"
 #include "storage/bufpage.h"
@@ -5050,6 +5051,17 @@ struct config_string ConfigureNamesString[] =
 		check_log_connections, assign_log_connections, NULL
 	},
 
+	{
+		{"neon_storage_auth_token", PGC_SUSET, REPLICATION_STANDBY,
+			"Authentication token for Neon storage",
+			NULL,
+			GUC_NO_SHOW_ALL | GUC_NO_RESET | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_SUPERUSER_ONLY
+		},
+		&neon_storage_auth_token,
+		"",
+		NULL, NULL, show_neon_storage_auth_token,
+	},
+
 
 	/* End-of-list marker */
 	{

diff --git a/src/include/replication/walreceiver.h b/src/include/replication/walreceiver.h
@@ -28,6 +28,7 @@
 extern PGDLLIMPORT int wal_receiver_status_interval;
 extern PGDLLIMPORT int wal_receiver_timeout;
 extern PGDLLIMPORT bool hot_standby_feedback;
+extern PGDLLIMPORT char *neon_storage_auth_token;
 
 /*
  * MAXCONNINFO: maximum size of a connection string.
@@ -489,6 +490,8 @@ walrcv_clear_result(WalRcvExecResult *walres)
 pg_noreturn extern void WalReceiverMain(const void *startup_data, size_t startup_data_len);
 extern void WalRcvForceReply(void);
 
+extern const char *show_neon_storage_auth_token(void);
+
 /* prototypes for functions in walreceiverfuncs.c */
 extern Size WalRcvShmemSize(void);
 extern void WalRcvShmemInit(void);