Azure PostgreSQL

Learn how to add Azure PostgreSQL as a datasource in StrongDM.

Overview

This guide explains how to add an Azure Database for PostgreSQL to StrongDM using standard username and password authentication. When configured, StrongDM proxies client connections through a gateway, relay, or proxy cluster, allowing centralized credential management, access control, and audit logging.

When you add an Azure PostgreSQL resource, StrongDM proxies client connections through a node (gateway, relay, or proxy cluster). This provides centralized access control, credential management, and auditing.

Use this guide to configure the connection properties, add the resource in StrongDM, and test client connectivity.

For general information about how to add a database as a resource in StrongDM, see our main guide, Add a Datasource.

Supported Versions and Clients

StrongDM supports Azure Database for PostgreSQL Flexible Server and Single Server instances configured for Azure AD authentication.

Any standard PostgreSQL client or driver can connect through StrongDM, including:

psql CLI
GUI clients (DBeaver, DataGrip)
Applications and frameworks using PostgreSQL drivers

Managed Identity authentication must be enabled on the Azure PostgreSQL server. The managed identity must be mapped to a corresponding PostgreSQL role with appropriate privileges.

Prerequisites

To add your resource in StrongDM, you need to meet several technical and configuration prerequisites. Please ensure that the following requirements are met.

In StrongDM, you must have the following:

Administrator permission level
At least one operational StrongDM node (gateway, relay, or proxy cluster) must have network access to the target Azure PostgreSQL endpoint
If using secrets management tools for storing your credentials, a Secret Store configured in StrongDM

To verify that the resource is accessible by the node, log in to the gateway or relay and use Netcat: nc -zv <HOSTNAME> <PORT> (in this example, nc -zv testdb-01.fancy.org 3306). If your gateway server can connect to this hostname, proceed.

Netcat is a tool for checking various hostnames and ports by either sending data (a ping) or checking for listeners on the ports. The command in the aforementioned example use "-z" to check for listeners without sending data and "-v" to show verbose output. If you don't have Netcat, you can install the Netcat package with whatever package manager you are using, such as "apt-get install netcat".

On the Azure side, you must have the following:

Azure Database for PostgreSQL server provisioned (Flexible Server or Single Server)
PostgreSQL user account created with the appropriate privileges (for example, read-only for analytics or full CRUD for admin use)
Server firewall rules or VNet/Private Link access configured so that the StrongDM nodes can connect to the PostgreSQL server
SSL/TLS enabled, as Azure requires encrypted connections by default. Ensure you have downloaded the Azure CA certificate if certificate validation is required in your environment.
Correct username format, depending on your server type:
- Flexible Server: usually just username
- Single Server: username@servername format (for example, dbuser@mypgserver)

Resource Management in StrongDM

After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

Set up and Manage With the Admin UI

If using the Admin UI to add Azure Database for PostgreSQL as a StrongDM resource, use the following steps.

Log in to the StrongDM Admin UI.
Go to Resources > Datasources.
Click Add datasource.
Select Azure Database for PostgreSQL as the Datasource Type and set other configuration properties for your new database resource.
Complete all required fields.
Click Create to save the resource.
Click the resource name to view status, diagnostic information, and setting details.

Set up and Manage With the CLI

This section provides an example of how to add the resource using the StrongDM CLI. For more information and examples, please see the CLI Reference documentation.

# Add Azure Database for PostgreSQL datasource
sdm admin datasources add azurepostgres azure-pg-prod
  --hostname="mypgserver.postgres.database.azure.com"
  --port=5432
  --database="production"
  --username="dbuser@mypgserver"
  --password="secret"
  --tls-required
  --bind-interface="127.0.0.1"
  --egress-filter="tag:env=prod"
  --port-override="-1"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="azure-pg-prod"
  --tags="env=production,team=data"

# For Single Server deployments, the username must include the @servername suffix
# For Flexible Server, use just username

Set up and Manage With Terraform

This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the Terraform provider documentation.

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Azure Database for PostgreSQL resource
resource "sdm_azurepostgres" "azure_pg_prod" {
  name       = "azure-pg-prod"
  hostname   = "mypgserver.postgres.database.azure.com"
  port       = 5432
  database   = "production"
  username   = "dbuser@mypgserver"
  password   = "secret"

  # Networking / routing
  tls_required     = true
  bind_interface   = "127.0.0.1"
  egress_filter    = "tag:env=prod"
  port_override    = 12345
  proxy_cluster_id = "n-1a2b345c67890123"

  # Secrets / metadata
  secret_store_id = "se-e1b2"
  subdomain       = "azure-pg-prod"
  tags = {
    env  = "production"
    team = "data"
  }
}

Configuration Properties

The following configuration properties are required to define an Azure Database for PostgreSQL datasource in StrongDM. These settings control how StrongDM connects to the resource, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM.

Property

Requirement

Description

Display Name

Required

Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)

Datasource Type

Required

Azure Database for PostgreSQL

Proxy Cluster

Required

Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource

Hostname

Required

Hostname for your Azure database resource; must be accessible to a gateway or relay

Port

Required

Port to use when connecting to your Azure PostgreSQL database; default port value is 5432

Connectivity Mode

Required

Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization

IP Address

Optional

If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization

Port Override

Optional

If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings

DNS

Optional

If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)

Database

Required

Database name you would like to connect to using this datasource

Secret Store

Optional

Credential store location; defaults to Strong Vault; learn more about Secret Store options

Username

Required

Username to utilize when connecting to this datasource; displays when Secret Store integration is not configured for your organization or when StrongDM serves as the Secret Store type

Password

Required

Password for the user connecting to this datasource; displays when Secret Store integration is not configured for your organization or when StrongDM serves as the Secret Store type

Username (path)

Required

Path to the secret in your Secret Store location (for example, path/to/credential?key=optionalKeyName where key argument is optional); required when using a non-StrongDM Secret Store type

Password (path)

Required

Path to the secret in your Secret Store location (for example, path/to/credential?key=optionalKeyName where key argument is optional); required when using a non-StrongDM Secret Store type

Restrict Database

Optional

When selected, limits all connections to the configured database

Resource Tags

Optional

Datasource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

Test the Connection

After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly.

Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to Access > Roles, and verify that the resource is attached to a role you’re in.
In the CLI, run sdm status to list the available datasources. Ensure that the resource appears in your list of accessible datasources.
Start a session to the resource, as in the following example:
```
sdm connect azure-pg-prod
```
This sets environment variables (such as MYSQL_HOST, MYSQL_PORT, and so forth). See the CLI Reference documentation for details on sdm connect.
Use psql to connect:
```
psql "$PGDATABASE"
```
Or connect manually:
```
psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDATABASE
```
Run a test query. If successful, you should see the PostgreSQL engine version.
```
SELECT version();
```
In the StrongDM Admin UI, check Logs > Connections and Logs > Queries to confirm the session and queries are logged.

When these steps succeed, you’re ready to connect to your resource through StrongDM.

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

Resource name or ID
CLI error output or logs
Node name and region
Timestamps of failed attempts

Last updated 1 month ago

Was this helpful?

Overview

Supported Versions and Clients

Prerequisites

Resource Management in StrongDM

Set up and Manage With the Admin UI

Set up and Manage With the CLI

Set up and Manage With Terraform

Set up and manage with SDKs

Configuration Properties

Secret Store options

Resource status

Test the Connection

Help