Azure PostgreSQL

Create an integration to manage access to Azure-managed PostgreSQL databases

Overview

PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. Microsoft enables developers to create cloud-hosted PostgreSQL databases.

Through this integration, Apono helps you securely manage access to your Azure PostgreSQL instances.

To enable Apono to manage Azure PostgreSQL user access, you must create a user and then configure the integration within the Apono UI.



Prerequisites

Before starting this integration, create the items listed in the following table.

Item Description
Apono Connector On-prem connection serving as a bridge between your Azure PostgreSQL databases and Apono

Minimum Required Version: 1.3.0

Use the following steps to update an existing connector:
  1. On the Connector page, click โ‹ฎ > Edit. The Edit the Connector page appears.
  2. Click Update Connector.
PostgreSQL Info Information for the database instance to be integrated:
  • Hostname
  • Port Number
  • Database Name


Create a PostgreSQL user

You must create a user in your PostgreSQL instance for the Apono connector and grant that user permissions to your databases.

๐Ÿšง

You must use the admin account and password to connect to your database.


Use the following steps to create a user and grant it permissions:

  1. In your preferred client tool, create a new user. Use apono_connector for the username. Be sure to set a strong password for the user.

    You must also grant the azure_pg_admin role to the user in the database instance.

    CREATE USER apono_connector WITH ENCRYPTED PASSWORD 'password';  
    ALTER USER apono_connector WITH CREATEROLE;  
    GRANT azure_pg_admin TO apono_connector;
    
  2. Grant privileges to the azure_pg_admin role on all databases except template0 and azure_sys.

    This allows Apono to perform tasks that are not restricted to a single schema or object within the database, such as creating, altering, and dropping database objects.

    DO $$  
    DECLARE  
      database_name text;  
    BEGIN  
      FOR database_name IN (SELECT datname FROM pg_database WHERE datname != 'template0' AND datname != 'azure_sys' AND datname != 'azure_maintenance') LOOP  
        EXECUTE 'GRANT ALL PRIVILEGES ON DATABASE ' || quote_ident(database_name) || ' TO azure_pg_admin WITH GRANT OPTION';  
      END LOOP;  
    END; $$
    
  3. For each database to be managed through Apono, connect to the database and grant azure_pg_admin privileges on all objects in the schemas.

    This allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.

    DO $$  
    DECLARE  
      schema text;  
    BEGIN  
      FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP  
        EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';  
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';  
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';  
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';  
      END LOOP;  
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO azure_pg_admin WITH GRANT OPTION';  
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO azure_pg_admin WITH GRANT OPTION';  
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO azure_pg_admin WITH GRANT OPTION';  
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO azure_pg_admin WITH GRANT OPTION';  
    END; $$
    
  4. Connect to the template1 database and grant azure_pg_admin privileges on all objects in the schemas.

    For any new databases created in the future, this allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.

    DO $$  
    DECLARE  
      schema text;  
    BEGIN  
      FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP  
        EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';  
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';  
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';  
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';  
      END LOOP;  
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO azure_pg_admin WITH GRANT OPTION';  
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO azure_pg_admin WITH GRANT OPTION';  
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO azure_pg_admin WITH GRANT OPTION';  
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO azure_pg_admin WITH GRANT OPTION';  
    END; $$
    
  5. Using the credentials from step 1, create a secret for the database instance and associate it to the Azure connector.



Set up the integration in Apono

Amazon RDS tile

PostgreSQL tile

Use the following steps to complete the integration:

  1. On the Catalog tab, click Azure PostgreSQL. The Connect Azure PostgreSQL page appears.
  2. From the dropdown menu, select the connector that has been granted read access to the secret for the PostgreSQL instance.

    ๐Ÿ’ก

    If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Azure connector and associate the secret with the connector.


  1. Click Next. The Complete setup page appears.
  2. Enter a unique, alphanumeric, user-friendly Integration Name. This name is used to identify this integration when constructing an Access Flow.
  3. Enter the Hostname of the PostgreSQL instance to connect.
  4. (Optional) Enter the Port value for the database. By default, Apono sets this value to 5432.
  5. Enter the Database Name.
  6. From the SSL Mode dropdown menu, select the mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server.
    Option Description
    require An SSL-encrypted connection must be used.
    allow An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
    disable An unencrypted connection is used.
    prefer An SSL encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
    verify-ca An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
    verify-full An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.

    Additionally, the server hostname is checked against the certificate's names.

  7. Under Secret Store, associate the Azure Key Vault secret.
  8. Click Connect.

Now that you have completed this integration, you can create access flows that grant permission to your Azure PostgreSQL instances.