# PostgreSQL Plugin

{% hint style="warning" %}
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

* [Password Rotation with KeeperPAM](https://docs.keeper.io/en/keeperpam/secrets-manager/password-rotation)
* Commander [KeeperPAM commands](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/keeperpam-commands)
  {% endhint %}

This plugin allows rotating a user's password in PostgreSQL Server

## Prerequisites

#### Install psycopg2-binary

```
pip3 install psycopg2-binary
```

## Prepare Record For Rotation

### Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

{% hint style="info" %}
See the [Troubleshooting ](https://docs.keeper.io/en/keeperpam/troubleshooting-commander-cli#typed-vs-untyped-records-v3-vs-v2)section for more information on legacy vs typed records
{% endhint %}

### Set the PostgreSQL Login Name and Password

**Populate the 'Login' field of the Keeper record with the PostgreSQL login name**

![Commander will use the login and password to login to the PostgreSQL account](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F4TNMCZKhejp3vlE8tBCN%2Fimage.png?alt=media\&token=4cfaa6bd-a624-4e25-aea3-38d59984e901)

### Set the Hostname and Port

![](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fqo9RDE4VL2UddhfXobQn%2Fimage.png?alt=media\&token=cd25a90a-e050-4263-bb09-391ea39e4035)

If using an untyped record, the host and port can be set to custom fields. See below.

{% hint style="info" %}
TIP: If no rotation plugin is specified, Commander will use the port number or host prefix to guess which rotation to use. Port 5432, or a hostname that begins with "postgresql://" will use PostgreSQL rotation
{% endhint %}

### Enter the Database Name

Add a custom field to the record labeled "cmdr:db" and fill the field with the name of the database to use.

![](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FwoGgeVwEBlsI9B4g7ffZ%2Fimage.png?alt=media\&token=f4950821-af11-48d5-bf7b-b92322d22e69)

### Optional Record Fields

These fields can be added to affect the rotation

| Label       | Value                                                                       | Comment                                                                                                                             |
| ----------- | --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| cmdr:plugin | postgresql                                                                  | (Optional) Tells Commander to use PostgreSQL rotation. This should be either set to the record, or supplied to the rotation command |
| cmdr:host   |                                                                             | Hostname of your PostgreSQL server. Legacy records require this custom field, typed records can use the hostname and port fields.   |
| cmdr:rules  | <p># uppercase, # lowercase, # numeric, # special'</p><p>(e.g. 4,6,3,8)</p> | (Optional) Password generation rules                                                                                                |
| cmdr:port   |                                                                             | (Optional) PostgreSQL port. 5432 assumed if omitted                                                                                 |

## Integration with the Keeper Commander's `connect` command

| Custom Field Name          | Custom Field Value                                                                                 |
| -------------------------- | -------------------------------------------------------------------------------------------------- |
| connect:xxx:env:PGPASSWORD | ${password}                                                                                        |
| connect:xxx                | psql --host=${cmdr:host} --port=${cmdr:port} --username=${login} --dbname=${cmdr:db} --no-password |

Here's a screenshot of the Keeper Vault record for this use case:

![A Keeper Record setup for connection](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJXOXEifAmpyvNVL1to%2F-Mf3OKL0C-A5D2nQFew1%2F-Mf4CgBqohGZ1_sEVoQH%2Fimage.png?alt=media\&token=86e1e38c-0c84-4aa6-bcc4-bdefd9c4113c)

{% hint style="info" %}
For more information on the `connect` command, see the [documentation](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/connection-commands/connection-to-hosts)
{% endhint %}