# PAM Database

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FG43gSJCEtSl4zWbGowLm%2FKeeperPAM%20Database.jpg?alt=media&#x26;token=977d6327-73b4-4fa5-98cd-2783e905db39" alt=""><figcaption></figcaption></figure>

## Overview

In your Keeper Vault, the following assets can be configured on the PAM Database record type:

<table><thead><tr><th width="215">PAM Record Type</th><th>Supported Assets </th></tr></thead><tbody><tr><td>PAM Database </td><td>MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle </td></tr></tbody></table>

This guide will cover the **PAM Database** Record type in more details.&#x20;

## Features Available

The PAM Database resource supports the following features:

* Password rotation
* Zero-trust Connections
* TCP Tunnels
* Graphical session recording
* Text session recording (Typescript)
* Sharing access without sharing credentials

{% hint style="info" %}
Connecting to the PAM database requires only that the Keeper Gateway has access to the database either through native protocols or AWS/Azure APIs. The Keeper Vault operates independently and does not require direct connectivity to the database, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the [network architecture diagram](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/system-architecture) for more details.
{% endhint %}

## Creating a PAM Database

Prior to creating a PAM Database, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Database contains information about the target database, such as the hostname, type (MySQL, PostgreSQL, etc) and port number.

To create a PAM Database:

* Click on **Create New**&#x20;
* Depending on your use case, click on "Rotation", "Tunnel", or "Connection"&#x20;
* On the prompted window:
  * Select "**New Record**"&#x20;
  * Select the Shared Folder you want the record to be created in&#x20;
  * Specify the Title
  * Select "**Database**" for the Target&#x20;
* Click "**Next**" and complete all of the required information.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FafSL2rOYf5xNGoajV91A%2FScreenshot%202024-12-28%20at%206.45.24%E2%80%AFPM.png?alt=media&#x26;token=c517c017-ae7c-4b7e-8a1e-5b43aedac786" alt=""><figcaption><p>Create a PAM Database</p></figcaption></figure>

## PAM Database Record Type Fields

The following table lists all the configurable fields on the PAM Database Record Type:

<table><thead><tr><th width="167">Field</th><th width="253">Description</th><th>Notes</th></tr></thead><tbody><tr><td>Hostname or IP Address</td><td>Address of the Database Resource</td><td><strong>Required</strong></td></tr><tr><td>Port</td><td>Port to connect to the Database Resource</td><td><strong>Required</strong><br><br>Standard ports are:<br>PostgreSQL: 5432<br>MySQL: 3306<br>Maria DB: 3306<br>Microsoft SQL: 1433<br>Oracle: 1521<br>Mongo DB: 27017</td></tr><tr><td>Use SSL</td><td>Use SSL when connecting</td><td></td></tr><tr><td>Connect Database</td><td>Database name to connect to</td><td><strong>Required</strong> for connecting to PostgreSQL, MongoDB, and MS SQL Server</td></tr><tr><td>Database Id</td><td>Azure or AWS Resource ID</td><td><strong>Required</strong> if a managed AWS or Azure Database</td></tr><tr><td>Database Type</td><td>Appropriate database type from supported databases.</td><td>If a non-standard port is provided, the Database Type will be used to determine connection method.<br></td></tr><tr><td>Provider Group</td><td>Azure or AWS Provider Group</td><td><strong>Required</strong> if a managed AWS or Azure Database</td></tr><tr><td>Provider Region</td><td>Azure or AWS Provider Region</td><td><strong>Required</strong> if a managed AWS or Azure Database</td></tr></tbody></table>

## PAM Settings and Administrative Credentials&#x20;

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FHeovfKrm4CXGKwiIqq11%2FScreenshot%202025-01-01%20at%209.27.18%E2%80%AFAM.png?alt=media&#x26;token=b4e0a075-94bf-43da-aa25-bf684ab3a00d" alt=""><figcaption><p>PAM Settings and Administrative Credentials</p></figcaption></figure>

### PAM Settings

<table><thead><tr><th>Field</th><th width="235">Description</th><th>Required</th></tr></thead><tbody><tr><td>PAM Configuration</td><td>Associated PAM Configuration record which defines the environment</td><td><strong>Required</strong></td></tr><tr><td>Administrative Credential Record</td><td>Linked PAM User credential used for connection and administrative operations</td><td><strong>Required</strong><br>Visit this <a href="#pam-settings-and-administrative-credentials">section</a> for more details </td></tr><tr><td>Protocol</td><td>Native database protocol used for connecting from the Gateway to the target</td><td><strong>Required</strong></td></tr><tr><td>Session Recording</td><td>Options for recording sessions and typescripts</td><td>See <a href="../../session-recording-and-playback">session recording</a></td></tr><tr><td>Connection Parameters<br>(multiple)</td><td>Connection-specific protocol settings which can vary based on the protocol type</td><td>Depends on protocol</td></tr></tbody></table>

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FQDnmwlO5pIBfiNFcSqJM%2FScreenshot%202025-01-01%20at%209.48.44%E2%80%AFAM.png?alt=media&#x26;token=f3cd398b-968e-4933-8a6d-7b1219374da4" alt=""><figcaption><p>PAM Settings on Database resource</p></figcaption></figure>

Below is an example of a PAM Database record with Connections and Tunnels activated.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FVSwnnpOvh75YONo6GSFD%2FScreenshot%202025-01-01%20at%209.53.35%E2%80%AFAM.png?alt=media&#x26;token=0bbbe72f-3230-4d03-98b7-71f52edd1469" alt=""><figcaption><p>PAM Database with Connections and Tunnels activated</p></figcaption></figure>

## Examples

Visit the following pages to set up:

* [MySQL Database](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-database/example-mysql-database)
* [PostgreSQL Database](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-database/example-postgresql-database)
* [Microsoft SQL Server Database](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-database/example-microsoft-sql-server-database)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-database.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.