PostgreSQL Connections
Keeper Connections - PostgreSQL Protocol
Overview
KeeperPAM enables zero-trust privileged session management for PostgreSQL databases through an interactive CLI. This guide shows how to configure PostgreSQL connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.
Prerequisites
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
PAM Configuration
The PAM Configuration contains information of your target infrastructure
PAM Database Record
The PAM Database record contains information of the endpoint you want to establish an PostgreSQL protocol connection to.
PAM User Record
The PAM User record contains the PostgreSQL user credentials that will be used to connect to the endpoint
This guide will use a PostgreSQL Database. For more details on how this is setup, visit the following page:
PAM Settings - PostgreSQL Protocol
Accessing Connection Settings
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Configuring Connection Settings
Prior to configuring the PostgreSQL protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it.
The following table lists all the configurable connection settings for the SQL Server protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the PostgreSQL protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Database. The port specified here will override the default port. For PostgreSQL, the port is 5432
Launch Credential
When configured, these credentials will be used to authenticate the connection. More details here
Allow users to select credentials from their vault
When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details here
Rotate launch credentials upon session termination
When enabled, the configured launch credentials will be automatically rotated when the session is closed
Default Database
The database schema selected when connecting to the specified database server.
Can export CSV
Disables CSV export of data when using the PSQL statement \COPY
FROM "input.csv" With CSV
Can import CSV
Disables CSV import of data when using the PSQL statement \COPY () TO ".csv" With CSV HEADER
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from local clipboard into the connected protocol session
Connection Authentication Methods
Keeper Connections can be authenticated using one of the following methods:
Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.
Session Recordings - PostgreSQL Protocol

For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this page.
Learn more about Session Recording and Playback
Connection Templates
The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:
Connection TemplatesLast updated
Was this helpful?