# PostgreSQL ### Overview This guide outlines the configuration steps for adding a PostgreSQL database as a resource in StrongDM. When a PostgreSQL resource is added, StrongDM proxies client connections through a [node](https://docs.strongdm.com/admin/networking) (gateway, relay, or proxy cluster). This enables centralized access control, credential management, and audit logging. StrongDM supports standard PostgreSQL clients and drivers that use the PostgreSQL wire protocol. To add a PostgreSQL datasource as a resource, you will need the database hostname, port, name, and a valid set of credentials. Optionally, you can store these credentials in a supported secrets manager and reference them from within StrongDM. The PostgreSQL server must be reachable from the selected StrongDM node and configured to accept connections from that node’s IP or network. TLS is supported and can be configured during setup. For cloud-hosted PostgreSQL instances (for example, AWS RDS), ensure that security groups or firewall rules permit access from StrongDM components. Use this guide to complete all necessary preparations to add this resource to your StrongDM environment; input the correct properties in the Admin UI, CLI, SDKs, or Terraform provider; and test for a successful connection. When done, you will be able to use the StrongDM Desktop application or CLI to connect to PostgreSQL. For general information about how to add a database as a resource in StrongDM, see our main guide, [Add a Datasource](https://docs.strongdm.com/admin/resources/datasources). ### Supported Versions and Clients {% hint style="info" %} StrongDM supports Postgres versions 14, 15, 16, 17, and 18. {% endhint %} StrongDM is generally compatible with all PostgreSQL clients. To ensure successful connections to Postgres via StrongDM, we recommend the following best practices: * Use recent, actively maintained versions of your PostgreSQL client. * Avoid enabling GSSAPI, Kerberos, or custom SSL unless StrongDM explicitly supports those mechanisms for your use case. * Test client connections in a non-production environment first, especially if using GUI tools or ORMs with abstracted configuration layers. ### Prerequisites To add a PostgreSQL database as a resource in StrongDM, you need to meet several technical and configuration prerequisites to ensure smooth connectivity, security, and monitoring. Please ensure that the following requirements are met. In StrongDM, you must have the following: * Administrator permission level * At least one operational node (gateway, relay, or proxy cluster) deployed in a location that can reach the resource's host and port over TCP (for PostgreSQL, the default port is 5432) * Valid database credentials (username and password) for the resource * If using secrets management tools for storing your database credentials, a Secret Store configured in StrongDM * Compatible version of PostgreSQL (generally version 9.6 or higher) * Connection tools such as psql or DBeaver to test the connection to the resource independently of StrongDM, if needed {% hint style="info" %} To verify that the resource is accessible by the node, log in to the gateway or relay and use Netcat: `nc -zv ` (in this example, `nc -zv testdb-01.fancy.org 3306`). If your gateway server can connect to this hostname, proceed. Netcat is a tool for checking various hostnames and ports by either sending data (a ping) or checking for listeners on the ports. The command in the aforementioned example use "-z" to check for listeners without sending data and "-v" to show verbose output. If you don't have Netcat, you can install the Netcat package with whatever package manager you are using, such as "apt-get install netcat". {% endhint %} On the PostgreSQL side, you must have the following: * Database user with appropriate privileges (SELECT for read-only, CRUD for admin use) * Authentication information, including the host, port, database name, username, and password * TLS/SSL set up to enable encryption, if required by your organization * For RDS IAM-authenticated instances, IAM roles and rds-db:connect policies correctly applied to the StrongDM node * Cloud-specific adjustments, if necessary, such as disabling incompatible settings (for example, request signing protocols) on managed PostgreSQL services * Ability to test reachability from the StrongDM node using tools such as telnet or psql, and confirm DNS resolution ### Resource Management in StrongDM After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add Citus as a resource to StrongDM, use the following steps. 1. Log in to the StrongDM Admin UI. 2. Go to **Resources** > **Managed Resources**. 3. Click **Add Resource**. 4. For **Resource Type**, select **PostgreSQL** or **PostgreSQL (mTLS)**. 5. Complete all required [configuration properties](#configuration-properties) for your selected datasource type. 6. Click **Create** to save the resource. 7. Click the resource name to view status, diagnostic information, and setting details. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides an example of how to add the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli) documentation. ``` # Add a PostgreSQL datasource sdm admin datasources add postgres --name "pg-prod" --hostname "db.example.com" --port 5432 --database "production" --username "sdm_user" --password "secret" --scheme "postgres" --port-override 15432 --secret-store-id "ss-abcdef123456" --tags "env:prod,team:data" --tls-required true --ca-cert "$(cat ca.crt)" --client-cert "$(cat client.crt)" --client-key "$(cat client.key)" ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ``` # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create resource resource "sdm_postgres" "pg_prod" { name = "pg-prod" hostname = "db.example.com" port = 5432 database = "production" username = "sdm_user" password = "secret" scheme = "postgres" port_override = 15432 secret_store_id = "ss-abcdef123456" tags = { env = "prod" team = "data" } tls_required = true ca_cert = file("ca.crt") client_cert = file("client.crt") client_key = file("client.key") } ``` {% endtab %} {% tab title="SDKs" %} **Set up and manage with SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Language | Reference | GitHub | Examples | | ------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | Go | [pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v16) | [strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go) | [Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples) | | Java | [javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/) | [strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java) | [Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples) | | Python | [pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/) | [strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python) | [Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples) | | Ruby | [RubyDoc](https://www.rubydoc.info/gems/strongdm) | [strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby) | [Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples) | | {% endtab %} | | | | | {% endtabs %} | | | | ## **Configuration Properties** The following configuration properties are required to define a PostgreSQL datasource in StrongDM. Please note that we provide two different versions of the PostgreSQL datasource type: PostgreSQL and PostgreSQL (mTLS). The mutual TLS (mTLS) version of this datasource type is available if you need certificates to reach the PostgreSQL port, rather than username and password. This is of particular importance with GCP-hosted Postgres, for which it is the default expected behavior. {% tabs %} {% tab title="PostgreSQL" %} | Property | Requirement | Description | | --------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Display Name** | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) | | **Resource Type** | Required | **PostgreSQL** | | **Proxy Cluster** | Required | Defaults to "None (use gateways)"; if using [proxy clusters](https://docs.strongdm.com/admin/networking/proxy-clusters), select the appropriate cluster to proxy traffic to this resource | | **Hostname** | Required | Hostname for the resource; must be accessible to a gateway or relay | | **Port** | Required | Port to use when connecting to the resource; default port value is **5432** | | **Connectivity Mode** | Required | Select either **Virtual Networking Mode**, which lets users connect to the resource with a software-defined, IP-based network; or **Loopback Mode**, which allows users to connect to the resource using the local loopback adapter in their operating system | | **IP Address** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, an IP address value in the range `100.64.0.1` to `100.127.255.252` (default `100.64.100.100`); optionally change the default value for Virtual Networking Mode to your preferred IP address value, as long as it's a valid IP address defined by your organization settings; edit either on this form or later on the Admin UI's Port Overrides page after the resource is created; if **Loopback Mode** is the selected connectivity mode, the IP address value must be within the range of `127.0.0.1` to `127.0.0.34` | | **Port Override** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource; if **Loopback Mode** is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource; when left empty, the system assigns the default port to this resource; preferred port also can be modified later from the [Port Overrides settings](https://docs.strongdm.com/admin/resources/port-overrides) | | **DNS** | Optional | If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, `k8s.my-organization-name`) instead of the bind address that includes IP address and port (for example, `100.64.100.100:5432`) | | **Secret Store** | Optional | Credential store location; defaults to none (credentials are stored in StrongDM resource configuration) | | **Username** | Required | Username to utilize when connecting to this datasource; displays when Secret Store integration is not configured for your organization and chosen as the value of **Secret Store** | | **Password** | Required | Password for the user connecting to this datasource; displays when Secret Store integration is not configured for your organization and chosen as the value of **Secret Store** | | **Username (path)** | Required | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a non-StrongDM Secret Store type | | **Password (path)** | Required | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a non-StrongDM Secret Store | | **Override Database** | Optional | By default, StrongDM will limit all connections to the configured PostgreSQL database; uncheck the box to disable this option | | **Resource Tags** | Optional | Datasource [Tags](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli/tags "mention") consisting of key-value pairs `=` (for example, `env=dev`) | | {% endtab %} | | | {% tab title="PostgreSQL (mTLS)" %} | Property | Requirement | Description | | ----------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Display Name** | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) | | **Resource Type** | Required | **PostgreSQL (mTLS)** | | **Hostname** | Required | Hostname for the resource; must be accessible to a gateway or relay | | **Port** | Required | Port to use when connecting to the resource; default port value is **5432** | | **Connectivity Mode** | Required | Select either **Virtual Networking Mode**, which lets users connect to the resource with a software-defined, IP-based network; or **Loopback Mode**, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if [Virtual Networking Mode](https://docs.strongdm.com/admin/clients/client-networking/virtual-networking-mode) enabled for your organization | | **IP Address** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if **Loopback Mode** is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, `127.0.0.1`); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if [Virtual Networking Mode](https://docs.strongdm.com/admin/clients/client-networking/virtual-networking-mode) and/or [multi-loopback mode](https://docs.strongdm.com/admin/clients/client-networking/loopback-ip-ranges) is enabled for your organization | | **Port Override** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if **Loopback Mode** is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the [Port Overrides settings](https://docs.strongdm.com/admin/resources/port-overrides) | | **DNS** | Optional | If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, `k8s.my-organization-name`) instead of the bind address that includes IP address and port (for example, `100.64.100.100:5432`) | | **Database** | Required | Database name you would like to connect to using this datasource | | **Secret Store** | Optional | Credential store location; defaults to none (credentials are stored in StrongDM resource configuration) | | **Username** | Required | Username to utilize when connecting to this datasource; displays when Secret Store integration is not configured for your organization or when StrongDM serves as the secret store | | **Password** | Required | Password for the user connecting to this datasource; displays when Secret Store integration is not configured for your organization or when StrongDM serves as the secret store | | **Username (path)** | Required | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a non-StrongDM Secret Store type | | **Password (path)** | Required | Path to the secret in your Secret Store location (for example, `path/to/credential?key=optionalKeyName` where key argument is optional); required when using a non-StrongDM Secret Store type | | **Server CA** | Required | This field is shown when Secret Store integration is not configured for your organization, or when it is and StrongDM is the selected Secret Store type; paste the server certificate (plaintext or Base64-encoded), or import a PEM file | | **Server CA (path)** | Required | If Secret Store integration is configured for your organization *and* you selected a Secret Store type that is *not* StrongDM, enter the path to the secret in your Secret Store (for example, `path/to/credential?key=optionalKeyName`); the key argument is optional | | **Client Certificate** | Required | This field is shown when Secret Store integration is not configured for your organization, or when it is and StrongDM is the selected Secret Store type; paste the client certificate (plaintext or Base64-encoded), or import a PEM file | | **Client Certificate (path)** | Required | If Secret Store integration is configured for your organization *and* you selected a Secret Store type that is *not* StrongDM, enter the path to the secret in your Secret Store (for example, `path/to/credential?key=optionalKeyName`); the key argument is optional | | **Client Key** | Required | This field is shown when Secret Store integration is not configured for your organization, or when it is and StrongDM is the selected Secret Store type; paste the client key (plaintext or Base64-encoded), or import a PEM file | | **Client Key (path)** | Required | If Secret Store integration is configured for your organization *and* you selected a Secret Store type that is *not* StrongDM, enter the path to the secret in your Secret Store (for example, `path/to/credential?key=optionalKeyName`); the key argument is optional | | **Override Database** | Optional | By default, StrongDM will limit all connections to the configured PostgreSQL database; uncheck the box to disable this option | | **Resource Tags** | Optional | Datasource [Tags](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli/tags "mention") consisting of key-value pairs `=` (for example, `env=dev`) | | {% endtab %} | | | | {% endtabs %} | | | ### Secret Store options By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool. Non-StrongDM options appear in the **Secret Store** dropdown if they are created under **Network** > **Secret Stores**. When you select another Secret Store type, its unique properties display. For more details, see [Configure Secret Store Integrations](https://docs.strongdm.com/admin/access/secret-stores). ### Resource status After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the **Health** icon indicates a positive, green status. When the resource does not display a positive status, click the resource name to go to the **Diagnostics** tab and check for errors. ## Test the Connection After you have added your resource to StrongDM, follow these steps to test the connection to it and verify that a newly added PostgreSQL resource in StrongDM is functioning correctly. 1. Assign yourself access by ensuring that your user or role has access to the PostgreSQL resource. In the StrongDM Admin UI, go to **Access** > **Roles**, and verify that the PostgreSQL resource is attached to a role you’re in. 2. In the CLI, run `sdm status` to list the available datasources. Confirm that the PostgreSQL resource is available. 3. Launch a PostgreSQL client tool (for example, psql, DBeaver, or DataGrip) and connect to the resource. For example, if using the CLI and psql: ```bash sdm connect pg-prod ``` This will open a shell with environment variables such as `PGHOST`, `PGPORT`, and `PGUSER` set to use StrongDM. 4. Then test it: ```bash psql "$PGDATABASE" ``` 5. Once connected, run a simple SQL command to confirm the connection is functional: ```bash SELECT version(); ``` 6. You can also try querying a known table if one exists: ```bash SELECT * FROM information_schema.tables LIMIT 5; ``` 7. In the StrongDM Admin UI, go to **Logs** > **Queries** to check the audit logs and confirm your session and SQL statements are captured. 8. If you set TLS to be required, inspect the connection to ensure TLS is used (`sslmode=verify-full` or the equivalent should be set). {% hint style="info" %} Users (not admins) can check the connection in a similar but simplified manner. If they are assigned to a role that grants access to the resource, they can run `sdm connect ` in the CLI or connect via a GUI (like DBeaver) using StrongDM locally. Users can only validate the connection by using the resource; that is, by logging in and running SQL commands (for example, `SELECT version();`). {% endhint %} ## Troubleshooting If you are unable to connect to the resource, try the following: 1. Ensure that all the prerequisites are met. 2. Check the resource configuration details and ensure that all properties are set correctly. 3. Run `sdm status` in the CLI and confirm the resource appears in your list of accessible datasources. 4. Ensure your user is assigned to a role that has access to the PostgreSQL resource. 5. Check the node status to ensure that the gateway, relay, or proxy node can reach the PostgreSQL host and port. SSH into the node (if allowed) and run `nc -zv db.example.com 5432`. 6. Confirm that your PostgreSQL instance allows inbound traffic from your StrongDM node's IP or subnet. 7. For AWS-hosted databases, check VPC security groups and NACLs. 8. Check that the username and password (or secret store reference) are correct. Try connecting manually with psql using those credentials, bypassing StrongDM to isolate the issue. 9. If you're using a secrets manager, ensure the secret paths are correct. Check that StrongDM has appropriate permissions or IAM roles to retrieve them. In the Admin UI, verify that the secrets are resolving (not marked as invalid). 10. If `tls_required` is enabled, verify that thePostgreSQL server supports TLS and is properly configured (`ssl=on` in `postgresql.conf`). Also check that StrongDM was given the correct ca\_cert, client\_cert, and client\_key. 11. Ensure that certificates are not expired, match the server’s expected common name (CN)m and are PEM-encoded and valid. 12. Check the logs in the StrongDM Admin UI. Go to **Logs** > **Connections** or **Logs** > **Queries** and look for auth failures, timeouts, TLS handshake errors, and secret resolution errors. 13. In the CLI, run `sdm connect --verbose` to get more debug info during the connection process. 14. You can also test outside of StrongDM to understand if the issue is with PostgreSQL itself. For example, use `psql -h db.example.com -U sdm_user -d production`. If you still encounter issues, please consult the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health: * Resource name or ID * CLI error output or logs * Node name and region * Timestamps of failed attempts --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/datasources/postgresql.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.