Azure PostgreSQL (Managed Identity)

Overview

This guide explains how to set up managed identities in the Microsoft Azure portal and set up StrongDM to use them to connect to Azure Database for PostgreSQL. The Azure PostgreSQL (Managed Identity) datasource type supports both user-assigned and system-assigned managed identities to authenticate to Azure Database for PostgreSQL.

When you add an Azure PostgreSQL (Managed Identity) resource, StrongDM proxies client connections through a node (gateway, relay, or proxy cluster). This provides centralized access control, credential management, and auditing, while eliminating the need to manage long-lived PostgreSQL passwords. StrongDM requests temporary access tokens from Azure Active Directory (Azure AD) using either a system-assigned or user-assigned managed identity.

Use this guide to configure the connection properties, add the resource in StrongDM, and test client connectivity.

For general information about how to add a database as a resource in StrongDM, see our main guide, Add a Datasource.

Supported Versions and Clients

StrongDM supports Azure Database for PostgreSQL Flexible Server and Single Server instances configured for Azure AD authentication.

Any standard PostgreSQL client or driver can connect through StrongDM, including:

• psql CLI

• GUI clients (DBeaver, DataGrip)

• Applications and frameworks using PostgreSQL drivers

Prerequisites

To add your resource in StrongDM, you need to meet several technical and configuration prerequisites. Please ensure that the following requirements are met.

In StrongDM, you must have the following:

• Administrator permission level

• At least one operational StrongDM node (gateway, relay, or proxy cluster) running in Azure with access to the managed identity

• If using secrets management tools for storing your credentials, a Secret Store configured in StrongDM

On the Azure side, you must have the following:

• Access to an Azure subscription with appropriate permissions to create user-assigned managed identities

• Azure Virtual Machine (VM) with a StrongDM node (gateway, relay, or proxy worker) installed on it

• Azure account with the Virtual Machine Contributor and Managed Identity Operator role assignments in order to assign managed identities to your VM. Note that no other Microsoft Entra (formerly Azure AD) directory role assignments are required.

• At least one user-assigned managed identity already created, so you can assign it to the VM

Azure Setup

The following steps provide general instructions on what to do within Azure. For more detailed information, please consult Microsoft Azure documentation:

• Managed Identity Setup for Azure Database for PostgreSQL Single Server

• Managed Identity Setup for Azure Database for PostgreSQL Flexible Server

User-assigned managed identity

If using a user-assigned managed identity, follow these steps.

1. Sign in to the Azure portal. You must use an account associated with the Azure subscription that contains the Azure VM that hosts your gateway or relay.

2. Assign a user-assigned managed identity to your VM.

3. Copy the client ID of that user-assigned managed identity for use in later steps.

4. Create a PostgreSQL user for the user-assigned managed identity. This can be done for Azure Database for PostgreSQL Single Server or Flexible Server.

5. Set up roles and permissions (for example, read or readwrite) on your database for the managed identity. This must be done so that the StrongDM gateway or relay can connect to it using the managed identity assigned to the gateway or relay's VM.

System-assigned managed identity

If using a system-assigned managed identity, follow these steps.

1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the Azure VM that hosts your gateway or relay.

2. If the VM was provisioned without a system-assigned managed identity, enable the system-assigned managed identity by changing its status to On.

3. Find the client ID of the system-assigned managed identity and copy it for use in later steps. The client ID may be obtained by using the Azure CLI, not the Azure portal, with az ad sp list --display-name <VM_NAME> --query [*].appId --out tsv.

4. Create a PostgreSQL user for the managed identity. This can be done for Azure Database for PostgreSQL Single Server or Azure Database for PostgreSQL Flexible Server. Note that the "managed identity name" for the system-assigned identity is the name of the VM.

5. Set up roles and permissions (for example, read or readwrite) on your database for the managed identity. This must be done so that the StrongDM gateway or relay can connect to it using the managed identity assigned to the gateway or relay's VM.

Resource Management in StrongDM

After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

# Add Azure PostgreSQL (Managed Identity) datasource
sdm admin datasources add azurepostgresmi azure-pg-mi-prod
  --hostname="mypg.postgres.database.azure.com"
  --port=5432
  --database="production"
  --username="mi_user@mypg"
  --managed-identity-client-id="11111111-2222-3333-4444-555555555555"
  --tls-required
  --bind-interface="127.0.0.1"
  --egress-filter="tag:env=prod"
  --port-override="-1"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="azure-pg-mi-prod"
  --tags="env=production,team=data"

Omit --managed-identity-client-id if you are using a system-assigned managed identity

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Azure PostgreSQL (Managed Identity) resource
resource "sdm_azurepostgresmi" "azure_pg_mi_prod" {
  name       = "azure-pg-mi-prod"
  hostname   = "mypg.postgres.database.azure.com"
  port       = 5432
  database   = "production"
  username   = "mi_user@mypg"

  # For user-assigned identity; omit for system-assigned
  managed_identity_client_id = "11111111-2222-3333-4444-555555555555"

  # Networking / routing
  tls_required     = true
  bind_interface   = "127.0.0.1"
  egress_filter    = "tag:env=prod"
  port_override    = 12345
  proxy_cluster_id = "n-1a2b345c67890123"

  # Secrets / metadata
  secret_store_id = "se-e1b2"
  subdomain       = "azure-pg-mi-prod"
  tags = {
    env  = "production"
    team = "data"
  }
}

Configuration Properties

The following configuration properties are required to define an Azure PostgreSQL (Managed Identity) datasource in StrongDM. These settings control how StrongDM connects to the resource, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM.

Secret Store options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

Test the Connection

After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly.

1. Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to Access > Roles, and verify that the resource is attached to a role you’re in.

2. In the CLI, run sdm status to list the available datasources. Ensure that the resource appears in your list of accessible datasources.

3. Start a session to the resource, as in the following example:

   Copy

   sdm connect azure-pg-mi-prod

   This sets environment variables (such as MYSQL_HOST, MYSQL_PORT, and so forth). See the CLI Reference documentation for details on sdm connect.

4. Use psql:

   Copy

   psql "$PGDATABASE"

   The password is replaced by a temporary token retrieved from Azure AD. Run a simple query to confirm:

   Copy

   SELECT version();

5. In the StrongDM Admin UI, check Logs > Queries (and Logs > Connections) to confirm the session and queries are logged.

When these steps succeed, you’re ready to connect to your resource through StrongDM.

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

• Resource name or ID

• CLI error output or logs

• Node name and region

• Timestamps of failed attempts