search

PostgreSQL Plugin

Rotate PostgreSQL database passwords with Commander

circle-exclamation

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

This plugin allows rotating a user's password in PostgreSQL Server

hashtag
Prerequisites

hashtag
Install psycopg2-binary

pip3 install psycopg2-binary

hashtag
Prepare Record For Rotation

hashtag
Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

circle-info

See the Troubleshooting section for more information on legacy vs typed records

hashtag
Set the PostgreSQL Login Name and Password

Populate the 'Login' field of the Keeper record with the PostgreSQL login name

Commander will use the login and password to login to the PostgreSQL account

hashtag
Set the Hostname and Port

If using an untyped record, the host and port can be set to custom fields. See below.

circle-info

TIP: If no rotation plugin is specified, Commander will use the port number or host prefix to guess which rotation to use. Port 5432, or a hostname that begins with "postgresql://" will use PostgreSQL rotation

hashtag
Enter the Database Name

Add a custom field to the record labeled "cmdr:db" and fill the field with the name of the database to use.

hashtag
Optional Record Fields

These fields can be added to affect the rotation

Label
Value
Comment

cmdr:plugin

postgresql

(Optional) Tells Commander to use PostgreSQL rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of your PostgreSQL server. Legacy records require this custom field, typed records can use the hostname and port fields.

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

(Optional) Password generation rules

cmdr:port

(Optional) PostgreSQL port. 5432 assumed if omitted

hashtag
Integration with the Keeper Commander's connect command

Custom Field Name

Custom Field Value

connect:xxx:env:PGPASSWORD

${password}

connect:xxx

psql --host=${cmdr:host} --port=${cmdr:port} --username=${login} --dbname=${cmdr:db} --no-password

Here's a screenshot of the Keeper Vault record for this use case:

A Keeper Record setup for connection
circle-info

For more information on the connect command, see the documentation

PreviousOracle PluginNextPSPasswd Plugin

Last updated

Was this helpful?