Cloud SQL for PostgreSQL

Rotating Admin/Regular AWS PostgreSQL Database Users with Keeper

Overview

In this guide, you'll learn how to rotate passwords for GCP PostgreSQL Database User and Admin accounts on your Google Cloud environment using Keeper Rotation. Cloud SQL for PostgreSQL is a GCP managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.

To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.

Prerequisites

This guide assumes the following tasks have already taken place:

  • Keeper Secrets Manager is enabled for your role

  • Keeper Rotation is enabled for your role

  • A Keeper Secrets Manager application has been created

  • A Keeper Rotation gateway is already installed, running, and is able to communicate with your GCP PostgreSQL Database

  • Your GCP environment is configured per our documentation

1. Set up a PAM Database Record

The PAM Database record contains the admin credentials and necessary configurations to connect to the PostgreSQL Cloud SQL instance on GCP. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the PostgreSQL Cloud SQL instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.

The following table lists all the required fields on the PAM Database Record:

Field
Description

Title

Keeper record title Ex: GCP PostgreSQL Admin

Hostname or IP Address

The RDS Endpoint

Port

The PostgreSQL Port, for default ports see port mapping i.e. 5432

Use SSL

Check to perform SSL verification before connecting, if your database has SSL configured

Login

Admin account username that will perform rotation

Password

Admin account password

Connect Database

Optional database that will be used when connecting to the database server. For example, PostgreSQL requires a database and so this will default to template1.

Database ID

The AWS DB instance ID

Database Type

postgresql

Provider Region

The region your Amazon RDS instance is using. i.e us-central1

This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users

2. Set up PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:

Field
Description

Title

Configuration name, example: GCP Workspace Configuration

Environment

Select: Google Cloud

Gateway

Select the Gateway that is configured on the Keeper Secrets Manager application.

Application Folder

Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.

GCP ID

A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short Ex: GCP-DepartmentName

Service Account Key

Copy the JSON text of the service account key of the Gateway

Google Workspace Administrator Email

The email address for a Workspace administrator account that can be used to manage passwords for GCP Principals.

For more details on all the configurable fields in the PAM Configuration record, visit this page.

3. Set up PAM User Records

Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your GCP environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

Field
Description

Title

Keeper record title i.e. GCP DB User 1

Login

Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST

Password

Account password is optional, rotation will set one if blank

Connect Database

Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1

4. Configure Rotation on the PAM User records

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

  • Select the desired schedule and password complexity.

  • The "Rotation Settings" should use the PAM Configuration setup previously.

  • The "Resource Credential" field should select the PAM Database credential setup from Step 1.

  • Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

PreviousCloud SQL for SQL ServerNextActive Directory

Last updated

Was this helpful?