PostgreSQL

Integrate with Apono to view existing permissions and create Access Flows to PostgreSQL databases.

Overview

  • Reduce Over Privileges - Discover existing privileges to PostgreSQL databases and convert them to on-demand access flows to reduce over-privileges.
    • Self Service Access - Empower your developers to gain self-servable access to databases using Slack.
    • Automated Approval Workflows - Create approval workflows to specific sensitive databases.
    • Restricted Third Party Access - Grant third-party (customer or vendor) time-based access to specific databases with MFA verification.
    • Review Access - View a detailed access audit of who was granted access to which databases with what permission level and why.

How to integrate with PostgreSQL

📘

Is your PostgreSQL running on a cloud service?

If you are trying to connect to an RDS PostgreSQL or a CloudSQL PostgreSQL you should use the specific cloud service integration.

  1. Click on Integrations Catalog.
  2. Under Data Sources, look for PostgreSQL and click Connect
1789
  1. Specify the integrations details:
  • Integration name – type the name of the integration
    When building an Access Flow you will reference this name
  • Select the Connector – specify the Connector name with access to this PostgreSQL
  • Hostname – specify the hostname of the PostgeSQL you are connecting

AWS - Identify the secret
If you chose a Connector installed on an AWS account you will need to enter a Secret ID from within your AWS Secrets Manager

  • Region – Choose the region where the secret resides
  • Secret ID – Choose the secret ID that is used to access this PostgreSQL with admin privileges. If you don't have one you can create one
  • Click Connect

GCP - Identify the secret
If you chose a Connector installed on an GCP account you will need to enter a Secret ID from within your GCP Secrets Manager

  • Project - the project ID
  • Secret ID - Choose the Secret ID that is used to access this PostgreSQL with admin privileges. If you don't have one you can create one using this GCP guide.
    Look for the Secret ID in your Secret Manager (via Google console)
  • Click Connect

Creating a user for Apono

Connector requires to have a user in the DB so it can provision access. Provisioning is done by creating user in the database and granting it CREATE USER permission.

  1. Create user for Connector in the instance, type in some secure password, and grant it the rds_superuser role:
CREATE USER apono_connector WITH ENCRYPTED PASSWORD 'password';

ALTER USER apono_connector WITH CREATEROLE;

GRANT rds_superuser TO apono_connector;
  1. Using aws-cli, store in AWS Secret Manager, make sure to replace #SECRET_NAME,#REGION, #PASSWORD
aws secretsmanager create-secret --name "#SECRET_NAME" --tags '[{"Key":"apono-connector-read","Value":"true"}]' --region #REGION --secret-string '{
    "username":"'"apono_connector"'",
    "password":"'"#PASSWORD"'"
}'

📘

Have multiple PostgreSQLs? Use the API

You can check out the Apono API reference to easily integrate multiple integrations.