PostgreSQL Secret Engine
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
StrongDM Vault has a secret engine for PostgreSQL. This secret engine can be used to manage and rotate credentials within PostgreSQL itself as well as in a backing secret store. The copies kept on the secret store can then be used to facilitate user connection through StrongDM to resources using those credentials, which are rotated in tandem with the ones on PostgreSQL, ensuring the two copies are kept in sync.
The PostgreSQL connection is set up with either the StrongDM Admin UI or the StrongDM CLI, and the process generally involves providing PostgreSQL configuration information to allow StrongDM nodes to connect to PostgreSQL database and perform secrets updates within PostgreSQL. Once the connection is established, the secrets are rotated on PostgreSQL at the same time as they are rotated and stored in a backing secret store.
If you do not already have a secret store (StrongDM Vault or a supported cloud secret store provider) configured with StrongDM, do that first by following one of the guides in the Secret Stores section.
Prerequisites
For StrongDM, the following requirements must be met:
You must be a StrongDM account administrator.
At least one StrongDM node (gateway or proxy cluster) must have authorization for the necessary operations to succeed in both API operations and network traffic to the secret engine and/or vault. The node(s) should be at version 51.73.0 or higher.
At least one secret store (either StrongDM Vault or one of the supported cloud providers) must be configured.
For PostgreSQL, the following requirements must be met:
The user must have the privilege to change passwords for users.
Authorization details must be provided during configuration.
Relevant PostgreSQL traffic ports should be open.
The user that is used to set up the secret engine must have the
CREATEROLEpermission.
Create a secret engine
To add a new secret engine in the Admin UI, follow these steps.
In the Admin UI, go to Settings > Secrets Management.
Select the Secret Engines tab and click Add secret engine.
On the dialog that displays, select PostgreSQL. Then set the following properties and click save.
Configuring password rotation or complexity settings here provide a default for secrets created by and managed by this secret engine. If you create an individual secret with this engine but change these settings on that individual secret, the settings on the secret will be followed. For example, if you do not provide any default rotation settings for the engine, secrets created will, by default, not have any of these settings configured. If you configure a rotation time of one hour for one particular secret, it will be rotated hourly, disregarding the secret engine configuration.
Secret engine properties
These properties are required, other than Tags.
Name
Required
Descriptive name that clearly indicates what the engine is for
Secret Store
Required
Secret store where the secrets you wish to manage are located
Secret Store Root Path
Required
Path to the secret store where the secrets are located, for example, /secret/data/ad
Select node(s)
Required
Node(s) (gateways, relays, proxy clusters) to be used to contact your secret store; does not have to be filled out to create the engine, but is required to function
Select or add tags
Optional
Tags for organizing and interacting with secret engines
MySQL properties
The Hostname, Port, and Username are required, with the rest of the properties being optional.
Hostname
Required
Hostname of the PostgreSQL server
Port
Required
PostgreSQL port
Username
Required
Username for a PostgreSQL account that has permission to manage PostgreSQL user credentials
Password
Optional
Password for the PostgreSQL account
Credential rotation interval
Optional
Interval for automatic secret rotation, in days, hours, and minutes
Timeout after credential read
Optional
Timeout after credential read in days, hours, and minutes
Password generation properties
These properties are optional criteria and constraints on password generation for the rotation of passwords.
Length
Optional
Length of passwords that are generated; defaults to 32
Number of Digits
Optional
Number of digits contained in passwords that are generated; defaults to 6
Number of symbols
Optional
Number of symbols contained in passwords that are generated; defaults to 0
Excluded characters
Optional
Characters that are excluded from passwords that are generated; defaults to \
Exclude uppercase
Optional
Exclude uppercase letters from passwords that are generated
Allow repeated passwords
Optional
Allow repeated passwords when generating new passwords
Advanced settings
These properties are advanced settings regarding the encryption of the connection to PostgreSQL and other advanced details.
TLS
Optional
The Secret Engines tab now displays the secret engine that you just added.
Manage Secrets
Create a managed secret
Next, create a secret using the secret engine. This will allow the secret engine to begin rotating the password for the selected username, and also begin storing it in your secret store, so that we can use it for proxying connections to the resource.
Go to the Admin UI under Settings > Secrets Management. Then select the Secrets tab and select Add Secret.
Fill in a Name and Description for the secret.
It may be reasonable to correlate this name with the username or with the resource name that you intend to use this credential to access, if it is going to be used for leased credential access to the database. If it is being used for a specific identity using Identity Aliases, it could be named after the specific identity it is mapped to.
For Select secret engine, select the engine you just created.
Fill in the rest of the form, including resource specific fields and rotation or password complexity information for this secret if you desire it to be different than the defaults for this secret engine, and select Save.
Configure a Resource to use this Secret
Lastly, configure a resource to use this secret to authenticate to a resource.
Fill in the resource configuration as you normally would, but for Secret Store, select the secret store, and for the user credential fields, fill them in with /<SECRET_ENGINE_PATH>/SECRET_PATH?key=<SECRET_KEY>, filling in the values for <SECRET_ENGINE_PATH> from your secret engine configuration, <SECRET_PATH> from your managed secret configuration, and <SECRET_KEY> from the name of the revelant key within this managed secret.
Now you should be able to grant access to this resource to a user through a role, if you have not done so already, or through Just-in-Time access with workflows, and attempt accessing it.
Further Reading
For more about managing secrets, see the main StrongDM Vault section.
For instructions on entitling users to access particular secrets, see the Entitle Secrets via Policy section.
For details on managing secret engines with the CLI, see Secrets Management via CLI.
Last updated
Was this helpful?