# Azure PostgreSQL (Managed Identity) ### Overview This guide explains how to set up managed identities in the Microsoft Azure portal and set up StrongDM to use them to connect to Azure Database for PostgreSQL. The Azure PostgreSQL (Managed Identity) datasource type supports both user-assigned and system-assigned managed identities to authenticate to Azure Database for PostgreSQL. When you add an Azure PostgreSQL (Managed Identity) resource, StrongDM proxies client connections through a [node](https://docs.strongdm.com/admin/networking/gateways-and-relays) (gateway, relay, or proxy cluster). This provides centralized access control, credential management, and auditing, while eliminating the need to manage long-lived PostgreSQL passwords. StrongDM requests temporary access tokens from Azure Active Directory (Azure AD) using either a system-assigned or user-assigned managed identity. Use this guide to configure the connection properties, add the resource in StrongDM, and test client connectivity. For general information about how to add a database as a resource in StrongDM, see our main guide, [Add a Datasource](https://docs.strongdm.com/admin/resources/datasources). ## Supported Versions and Clients StrongDM supports **Azure Database for PostgreSQL Flexible Server** and **Single Server** instances configured for Azure AD authentication. Any standard PostgreSQL client or driver can connect through StrongDM, including: * `psql` CLI * GUI clients (DBeaver, DataGrip) * Applications and frameworks using PostgreSQL drivers {% hint style="info" %} Managed Identity authentication must be enabled on the Azure PostgreSQL server. The managed identity must be mapped to a corresponding PostgreSQL role with appropriate privileges. {% endhint %} ## Prerequisites To add your resource in StrongDM, you need to meet several technical and configuration prerequisites. Please ensure that the following requirements are met. In StrongDM, you must have the following: * Administrator permission level * At least one operational StrongDM node (gateway, relay, or proxy cluster) running in Azure with access to the managed identity * If using secrets management tools for storing your credentials, a Secret Store configured in StrongDM {% hint style="info" %} To verify that the resource is accessible by the node, log in to the gateway or relay and use Netcat: `nc -zv ` (in this example, `nc -zv testdb-01.fancy.org 3306`). If your gateway server can connect to this hostname, proceed. Netcat is a tool for checking various hostnames and ports by either sending data (a ping) or checking for listeners on the ports. The command in the aforementioned example use "-z" to check for listeners without sending data and "-v" to show verbose output. If you don't have Netcat, you can install the Netcat package with whatever package manager you are using, such as "apt-get install netcat". {% endhint %} On the Azure side, you must have the following: * Access to an Azure subscription with appropriate permissions to create user-assigned managed identities * Azure Virtual Machine (VM) with a StrongDM node (gateway, relay, or proxy worker) installed on it * Azure account with the Virtual Machine Contributor and Managed Identity Operator role assignments in order to assign managed identities to your VM. Note that no other Microsoft Entra (formerly Azure AD) directory role assignments are required. * At least one user-assigned managed identity already created, so you can assign it to the VM ## Azure Setup The following steps provide general instructions on what to do within Azure. For more detailed information, please consult Microsoft Azure documentation: * [Managed Identity Setup for Azure Database for PostgreSQL Single Server](https://learn.microsoft.com/azure/postgresql/single-server/how-to-connect-with-managed-identity) * [Managed Identity Setup for Azure Database for PostgreSQL Flexible Server](https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-connect-with-managed-identity) ### User-assigned managed identity If using a user-assigned managed identity, follow these steps. 1. Sign in to the Azure portal. You must use an account associated with the Azure subscription that contains the Azure VM that hosts your gateway or relay. 2. Assign a user-assigned managed identity to your VM. 3. Copy the client ID of that user-assigned managed identity for use in later steps. 4. Create a PostgreSQL user for the user-assigned managed identity. This can be done for Azure Database for PostgreSQL Single Server or Flexible Server. 5. Set up roles and permissions (for example, read or readwrite) on your database for the managed identity. This must be done so that the StrongDM gateway or relay can connect to it using the managed identity assigned to the gateway or relay's VM. {% hint style="info" %} Repeat these steps if you have more than one managed identity that needs access to the database. {% endhint %} ### System-assigned managed identity If using a system-assigned managed identity, follow these steps. 1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the Azure VM that hosts your gateway or relay. 2. If the VM was provisioned without a system-assigned managed identity, enable the system-assigned managed identity by changing its status to **On**. 3. Find the client ID of the system-assigned managed identity and copy it for use in later steps. The client ID may be obtained by using the Azure CLI, not the Azure portal, with `az ad sp list --display-name --query [*].appId --out tsv`. 4. Create a PostgreSQL user for the managed identity. This can be done for Azure Database for PostgreSQL Single Server or Azure Database for PostgreSQL Flexible Server. Note that the "managed identity name" for the system-assigned identity is the name of the VM. 5. Set up roles and permissions (for example, read or readwrite) on your database for the managed identity. This must be done so that the StrongDM gateway or relay can connect to it using the managed identity assigned to the gateway or relay's VM. ## Resource Management in StrongDM After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add Azure PostgreSQL (Managed Identity) as a StrongDM resource, use the following steps. 1. Log in to the StrongDM Admin UI. 2. Go to **Resources** > **Managed Resources**. 3. Click **Add Resource**. 4. Select **Azure PostgreSQL (Managed Identity)** as the **Resource Type** and set other [configuration properties](#configuration-properties) for your new database resource. 5. Complete all required fields. 6. Click **Create** to save the resource. 7. Click the resource name to [view status](#resource-status), diagnostic information, and setting details. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides an example of how to add the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli) documentation. ``` # Add Azure PostgreSQL (Managed Identity) datasource sdm admin datasources add azurepostgresmi azure-pg-mi-prod --hostname="mypg.postgres.database.azure.com" --port=5432 --database="production" --username="mi_user@mypg" --managed-identity-client-id="11111111-2222-3333-4444-555555555555" --tls-required --bind-interface="127.0.0.1" --egress-filter="tag:env=prod" --port-override="-1" --proxy-cluster-id="n-1a2b345c67890123" --secret-store-id="se-e1b2" --subdomain="azure-pg-mi-prod" --tags="env=production,team=data" Omit --managed-identity-client-id if you are using a system-assigned managed identity ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ``` # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create Azure PostgreSQL (Managed Identity) resource resource "sdm_azurepostgresmi" "azure_pg_mi_prod" { name = "azure-pg-mi-prod" hostname = "mypg.postgres.database.azure.com" port = 5432 database = "production" username = "mi_user@mypg" # For user-assigned identity; omit for system-assigned managed_identity_client_id = "11111111-2222-3333-4444-555555555555" # Networking / routing tls_required = true bind_interface = "127.0.0.1" egress_filter = "tag:env=prod" port_override = 12345 proxy_cluster_id = "n-1a2b345c67890123" # Secrets / metadata secret_store_id = "se-e1b2" subdomain = "azure-pg-mi-prod" tags = { env = "production" team = "data" } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and manage with SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Language | Reference | GitHub | Examples | | ------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | Go | [pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v16) | [strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go) | [Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples) | | Java | [javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/) | [strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java) | [Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples) | | Python | [pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/) | [strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python) | [Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples) | | Ruby | [RubyDoc](https://www.rubydoc.info/gems/strongdm) | [strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby) | [Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples) | | {% endtab %} | | | | | {% endtabs %} | | | | ## **Configuration Properties** The following configuration properties are required to define an Azure PostgreSQL (Managed Identity) datasource in StrongDM. These settings control how StrongDM connects to the resource, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM. | Property | Requirement | Description | | ------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Display Name** | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) | | **Resource Type** | Required | **Azure PostgreSQL (Managed Identity)** | | **Proxy Cluster** | Required | Defaults to "None (use gateways)"; if using [proxy clusters](https://docs.strongdm.com/admin/networking/proxy-clusters), select the appropriate cluster to proxy traffic to this resource | | **Hostname** | Required | Hostname for your Azure PostgreSQL database resource; [must be accessible](#prerequisites) to a gateway or relay | | **Port** | Optional | Port to use when connecting to your Azure PostgreSQL database; default port value is **5432** | | **Connectivity Mode** | Required | Select either **Virtual Networking Mode**, which lets users connect to the resource with a software-defined, IP-based network; or **Loopback Mode**, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if [Virtual Networking Mode](https://docs.strongdm.com/admin/clients/client-networking/virtual-networking-mode) enabled for your organization | | **IP Address** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if **Loopback Mode** is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, `127.0.0.1`); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if [Virtual Networking Mode](https://docs.strongdm.com/admin/clients/client-networking/virtual-networking-mode) and/or [multi-loopback mode](https://docs.strongdm.com/admin/clients/client-networking/loopback-ip-ranges) is enabled for your organization | | **Port Override** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if **Loopback Mode** is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the [Port Overrides settings](https://docs.strongdm.com/admin/resources/port-overrides) | | **DNS** | Optional | If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, `k8s.my-organization-name`) instead of the bind address that includes IP address and port (for example, `100.64.100.100:5432`) | | **Database** | Required | Database name you would like to connect to using this datasource | | **Secret Store** | Optional | Credential store location; defaults to none (credentials are stored in StrongDM resource configuration); learn more about [Secret Store](#secret-store-options) options | | **Username** | Required | Username of the PostgreSQL user for your managed identity, which you created during [Azure setup](#azure-setup) | | **Username (path)** | Required | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a non-StrongDM Secret Store type | | **Client ID** | Required | Client ID of your managed identity in the Azure portal | | **Client ID (path)** | Required | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a non-StrongDM Secret Store type | | **Restrict Database** | Optional | When selected, limits all connections to the configured database | | **Use Azure Single Server Usernames** | Optional | If selected, the hostname is appended to the username when interacting with a `database.azure.com` address | | **Resource Tags** | Optional | Resource [Tags](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli/tags "mention") consisting of key-value pairs `=` (for example, `env=dev`) | ### Secret Store options By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool. Non-StrongDM options appear in the **Secret Store** dropdown if they are created under **Settings** > **Secrets Management**. When you select another Secret Store type, its unique properties display. For more details, see [Configure Secret Store Integrations](https://docs.strongdm.com/admin/access/secret-stores). ### Resource status After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the **Health** icon indicates a positive, green status. When the resource does not display a positive status, click the resource name to go to the **Diagnostics** tab and check for errors. ## Test the Connection After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly. 1. Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to **Access** > **Roles**, and verify that the resource is attached to a role you’re in. 2. In the CLI, run `sdm status` to list the available datasources. Ensure that the resource appears in your list of accessible datasources. 3. Start a session to the resource, as in the following example: ```bash sdm connect azure-pg-mi-prod ``` \ This sets environment variables (such as `MYSQL_HOST`, `MYSQL_PORT`, and so forth). See the CLI Reference documentation for details on [sdm connect](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli/connect). 4. Use psql: ```bash psql "$PGDATABASE" ``` \ The password is replaced by a temporary token retrieved from Azure AD.\ \ Run a simple query to confirm: ```bash SELECT version(); ``` 5. In the StrongDM Admin UI, check **Logs > Queries** (and **Logs > Connections**) to confirm the session and queries are logged. When these steps succeed, you’re ready to connect to your resource through StrongDM. ### Help If you encounter issues, please consult the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health: * Resource name or ID * CLI error output or logs * Node name and region * Timestamps of failed attempts --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/datasources/azure-postgresql-managed-identity.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.