PostgreSQL Connection
Learn how to configure a PostgreSQL Connection for Hanzo KMS.
Hanzo KMS supports connecting to PostgreSQL using a database role.
Configure a PostgreSQL Role for Hanzo KMS
Hanzo KMS recommends creating a designated role in your PostgreSQL database for your connection.
-- create user role
CREATE ROLE kms_role WITH LOGIN PASSWORD 'my-password';
-- grant login access to the specified database
GRANT CONNECT ON DATABASE my_database TO kms_role;Depending on how you intend to use your PostgreSQL connection, you'll need to grant one or more of the following permissions.
To learn more about PostgreSQL's permission system, please visit their documentation.
For Secret Rotations, your Hanzo KMS user will require the ability to alter other users' passwords:
-- enable permissions to alter login credentials
ALTER ROLE kms_role WITH CREATEROLE;In some configurations, the role performing the rotation must be explicitly granted access to manage each user. To do this, grant the user's role to the rotation role with:
-- grant each user role to admin user for password rotation
GRANT <secret_rotation_user> TO <kms_role> WITH ADMIN OPTION;Replace <secret_rotation_user> with each specific username whose credentials will be rotated, and <kms_role> with the role that will perform the rotation.
You'll need the following information to create your PostgreSQL connection:
host- The hostname or IP address of your PostgreSQL serverport- The port number your PostgreSQL server is listening on (default: 5432)database- The name of the specific database you want to connect tousername- The role name of the login created in the steps abovepassword- The role password of the login created in the steps abovesslCertificate(optional) - The SSL certificate required for connection (if configured)
If you are self-hosting Hanzo KMS and intend to connect to an internal/private IP address, be sure to set the ALLOW_INTERNAL_IP_CONNECTIONS environment variable to true.
Create Connection in Hanzo KMS
-
Navigate to the Integrations tab in the desired project, then select App Connections.
-
Select the PostgreSQL Connection option.
-
Select the Username & Password method option and provide the details obtained from the previous section and press Connect to PostgreSQL.
Optionally, if you'd like Hanzo KMS to manage the credentials of this connection, you can enable the Platform Managed Credentials option. If enabled, Hanzo KMS will update the password of the connection on creation to prevent external access to this database role.
- Your PostgreSQL Connection is now available for use.
To create a PostgreSQL Connection, make an API request to the Create PostgreSQL Connection API endpoint.
Optionally, if you'd like Hanzo KMS to manage the credentials of this connection, you can set the isPlatformManagedCredentials option to true.
If enabled, Hanzo KMS will update the password of the connection on creation to prevent external access to this database role.
Sample request
curl --request POST \
--url https://app.kms.hanzo.ai/api/v1/app-connections/postgres \
--header 'Content-Type: application/json' \
--data '{
"name": "my-pg-connection",
"method": "username-and-password",
"isPlatformManagedCredentials": true,
"projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
"credentials": {
"host": "123.4.5.6",
"port": 5432,
"database": "default",
"username": "kms_role",
"password": "my-password",
"sslEnabled": true,
"sslRejectUnauthorized": true
},
}'Sample response
{
"appConnection": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-pg-connection",
"projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
"version": 1,
"orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"app": "postgres",
"method": "username-and-password",
"isPlatformManagedCredentials": true,
"credentials": {
"host": "123.4.5.6",
"port": 5432,
"database": "default",
"username": "kms_role",
"sslEnabled": true,
"sslRejectUnauthorized": true
}
}
}How is this guide?
Last updated on