Azure PostgreSQL

Create an integration to manage access to Azure-managed PostgreSQL databases

PostgreSQL databases are open-source relational database management systems emphasizing extensibility and SQL compliance. Microsoft enables developers to create cloud-hosted PostgreSQL databases.

Through this integration, Apono helps you securely manage access to your Azure PostgreSQL instances.

To enable Apono to manage Azure PostgreSQL user access, you must create a user and then configure the integration within the Apono UI.



Prerequisites

Item Description
Apono Connector On-prem connection serving as a bridge between an Azure MySQL database instance and Apono

Minimum Required Version: 1.3.0
PostgreSQL Info Information for the database instance to be integrated:
  • Hostname
  • Port Number
  • Database Name


Create a PostgreSQL user

You must create a user in your PostgreSQL instance for the Apono connector and grant that user permissions to your databases.

⚠️

You must use the admin account and password to connect to your database.

Use the following steps to create a user and grant it permissions:

  1. In your preferred client tool, create a new user. Use apono_connector for the username. Be sure to set a strong password for the user.

    You must also grant the azure_pg_admin role to the user in the database instance.

    CREATE USER apono_connector WITH ENCRYPTED PASSWORD 'password';
    ALTER USER apono_connector WITH CREATEROLE;
    GRANT azure_pg_admin TO apono_connector;
    

  2. Grant privileges to the azure_pg_admin role on all databases except template0 and azure_sys.

    This allows Apono to perform tasks that are not restricted to a single schema or object within the database, such as creating, altering, and dropping database objects.

    DO $$
    DECLARE
      database_name text;
    BEGIN
      FOR database_name IN (SELECT datname FROM pg_database WHERE datname != 'template0' AND datname != 'azure_sys' AND datname != 'azure_maintenance') LOOP
        EXECUTE 'GRANT ALL PRIVILEGES ON DATABASE ' || quote_ident(database_name) || ' TO azure_pg_admin WITH GRANT OPTION';
      END LOOP;
    END; $$
    

  1. For each database to be managed through Apono, connect to the database and grant azure_pg_admin privileges on all objects in the schemas.

    This allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.

    DO $$
    DECLARE
      schema text;
    BEGIN
      FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP
        EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';
      END LOOP;
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO azure_pg_admin WITH GRANT OPTION';
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO azure_pg_admin WITH GRANT OPTION';
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO azure_pg_admin WITH GRANT OPTION';
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO azure_pg_admin WITH GRANT OPTION';
    END; $$
    

  1. Connect to the template1 database and grant azure_pg_admin privileges on all objects in the schemas.

    For any new databases created in the future, this allows Apono to perform tasks that are restricted to schemas within the database, such as modifying table structures, creating new sequences, or altering functions.

    DO $$
    DECLARE
      schema text;
    BEGIN
      FOR schema IN (SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' AND schema_name != 'information_schema' AND schema_name != 'cron') LOOP
        EXECUTE 'GRANT ALL PRIVILEGES ON SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';
        EXECUTE 'GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA ' || quote_ident(schema) || ' TO azure_pg_admin WITH GRANT OPTION';
      END LOOP;
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO azure_pg_admin WITH GRANT OPTION';
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SEQUENCES TO azure_pg_admin WITH GRANT OPTION';
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON FUNCTIONS TO azure_pg_admin WITH GRANT OPTION';
      EXECUTE 'ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO azure_pg_admin WITH GRANT OPTION';
    END; $$
    

  1. Using the credentials from step 1, create a secret for the database instance and associate it to the Azure connector.


Set up the integration in Apono

Use the following steps to complete the integration:

  1. On the Catalog tab, click Azure PostgreSQL. The Connect Azure PostgreSQL page appears.

  2. From the dropdown menu, select the connector that has been granted read access to the secret for the PostgreSQL instance.

    💡

    If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Azure connector and associate the secret with the connector.

  3. Click Next. The Complete setup page appears.

  4. Enter a unique, alphanumeric, user-friendly Integration Name. This name is used to identify this integration when constructing an access flow.

  5. Enter the Hostname of the PostgreSQL instance to connect.

  6. (Optional) Enter the Port value for the database. By default, Apono sets this value to 5432.

  7. Enter the Database Name.

  8. From the SSL Mode dropdown menu, select the mode of Secure Sockets Layer (SSL) encryption used to secure the connection with the SQL database server.

    OptionDescription
    requireAn SSL-encrypted connection must be used.
    allowAn SSL-encrypted or unencrypted connection is used. If an SSL encrypted connection is unavailable, the unencrypted connection is used.
    disableAn unencrypted connection is used.
    preferAn SSL encrypted connection is attempted. If the encrypted connection is unavailable, the unencrypted connection is used.
    verify-caAn SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass.
    verify-fullAn SSL-encrypted connection must be used and a server certification verification against the provided CA certificates must pass. Additionally, the server hostname is checked against the certificate's names.

  9. Under Secret Store, associate the Azure Key Vault secret.

  10. Click Connect.

Now that you have completed this integration, you can create access flows that grant permission to your Azure PostgreSQL instances.