PostgreSQL Connections

Keeper Connections - PostgreSQL Protocol

Overview

KeeperPAM enables zero-trust privileged session management for PostgreSQL databases through an interactive CLI. This guide shows how to configure PostgreSQL connections on your PAM Database Records in the Keeper Vault. Sessions are securely initiated from the Vault, routed via the Keeper Gateway, and connected to target databases.

Prerequisites

Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.

The following PAM records are needed in order to successfully setup this protocol:

PAM Record
Definition

PAM Configuration

The PAM Configuration contains information of your target infrastructure

PAM Database Record

The PAM Database record contains information of the endpoint you want to establish an PostgreSQL protocol connection to.

PAM User Record

The PAM User record contains the PostgreSQL user credentials that will be used to connect to the endpoint

This guide will use a PostgreSQL Database. For more details on how this is setup, visit the following page:

PAM Settings - PostgreSQL Protocol

Accessing Connection Settings

After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:

  1. Editing the PAM Record

  2. Clicking on "Set Up" in the PAM Settings section

  3. Navigate to the "Connection" section in the prompted window

Configuring Connection Settings

Prior to configuring the PostgreSQL protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:

Field
Definition

PAM Configuration

This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.

Administrative Credential Record

This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it.

The following table lists all the configurable connection settings for the SQL Server protocol on the PAM Settings:

Field
Definition

Protocol

Required

The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the PostgreSQL protocol should be selected

Enable Connection

Required

To enable connection for this record, this toggle needs to be enabled

Graphical Session Recording

When enabled, graphical session recordings will be enabled for this record

Text Session Recording (Typescript)

When enabled, text session recordings (typescript) will be enabled for this record

Include Key Events

When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.

Connection Port

The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Database. The port specified here will override the default port. For PostgreSQL, the port is 5432

Launch Credential

When configured, these credentials will be used to authenticate the connection. More details here

Allow users to select credentials from their vault

When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details here

Rotate launch credentials upon session termination

When enabled, the configured launch credentials will be automatically rotated when the session is closed

Default Database

The database schema selected when connecting to the specified database server.

Can export CSV

Disables CSV export of data when using the PSQL statement \COPY

FROM "input.csv" With CSV

Can import CSV

Disables CSV import of data when using the PSQL statement \COPY () TO ".csv" With CSV HEADER

Can copy to clipboard

If enabled, text copied within the connected protocol session will be accessible by the user

Can paste from clipboard

If enabled, user can paste text from local clipboard into the connected protocol session

Connection Authentication Methods

Keeper Connections can be authenticated using one of the following methods:

  • Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.

  • Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.

  • Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.

Session Recordings - PostgreSQL Protocol

PostgreSQL Session Recordings

For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this page.

Connection Templates

The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:

Connection Templates

Last updated

Was this helpful?