Azure PostgreSQL
Create an integration to manage access to Azure-managed PostgreSQL databases
Overview
PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. Microsoft enables developers to create cloud-hosted PostgreSQL databases.
Through this integration, Apono helps you securely manage access to your Azure PostgreSQL instances.
To enable Apono to manage Azure PostgreSQL user access, you must create a user and then configure the integration within the Apono UI.
Prerequisites
Before starting this integration, create the items listed in the following table.
Item | Description |
---|---|
Apono Connector | On-prem connection serving as a bridge between your Azure PostgreSQL databases and Apono
Minimum Required Version: 1.3.0 Use the following steps to update an existing connector:
|
PostgreSQL Info | Information for the database instance to be integrated:
|
Create a PostgreSQL user
You must create a user in your PostgreSQL instance for the Apono connector and grant that user permissions to your databases.
You must use the admin account and password to connect to your database.
Use the following steps to create a user and grant it permissions:
-
In your preferred client tool, create a new user. Use apono_connector for the username. Be sure to set a strong password for the user.
You must also grant the
azure_pg_admin
role to the user in the database instance.CREATE USER apono_connector WITH ENCRYPTED PASSWORD 'password'; ALTER USER apono_connector WITH CREATEROLE; GRANT azure_pg_admin TO apono_connector;
-
Grant privileges to the
azure_pg_admin
role on all databases excepttemplate0
andazure_sys
.This allows Apono to perform tasks that are not restricted to a single schema or object within the database, such as creating, altering, and dropping database objects.
DO $$ DECLARE database_name text; BEGIN FOR database_name IN (SELECT datname FROM pg_database WHERE datname != 'template0' AND datname != 'azure_sys' AND datname != 'azure_maintenance') LOOP EXECUTE 'GRANT ALL PRIVILEGES ON DATABASE ' || quote_ident(database_name) || ' TO azure_pg_admin WITH GRANT OPTION'; END LOOP; END; $$
-
For each database to be managed through Apono, connect to the database and grant
azure_pg_admin
privileges on all objects in the schemas.This allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.
DO $$ DECLARE schema text; BEGIN FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION'; END LOOP; EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO azure_pg_admin WITH GRANT OPTION'; END; $$
-
Connect to the
template1
database and grantazure_pg_admin
privileges on all objects in the schemas.For any new databases created in the future, this allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.
DO $$ DECLARE schema text; BEGIN FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION'; END LOOP; EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO azure_pg_admin WITH GRANT OPTION'; EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO azure_pg_admin WITH GRANT OPTION'; END; $$
-
Using the credentials from step 1, create a secret for the database instance and associate it to the Azure connector.
Set up the integration in Apono

PostgreSQL tile
Use the following steps to complete the integration:
- On the Catalog tab, click Azure PostgreSQL. The Connect Azure PostgreSQL page appears.
- From the dropdown menu, select the connector that has been granted read access to the secret for the PostgreSQL instance.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Azure connector and associate the secret with the connector.
- Click Next. The Complete setup page appears.
- Enter a unique, alphanumeric, user-friendly Integration Name. This name is used to identify this integration when constructing an Access Flow.
- Enter the Hostname of the PostgreSQL instance to connect.
- (Optional) Enter the Port value for the database. By default, Apono sets this value to 5432.
- Enter the Database Name.
- From the SSL Mode dropdown menu, select the mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server.
Option Description require An SSL-encrypted connection must be used. allow An SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used. disable An unencrypted connection is used. prefer An SSL encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used. verify-ca An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. verify-full An SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
Additionally, the server hostname is checked against the certificate's names.
- Under Secret Store, associate the Azure Key Vault secret.
- Click Connect.
Now that you have completed this integration, you can create access flows that grant permission to your Azure PostgreSQL instances.
Updated 4 days ago