PostgreSQL Plugin
Rotate PostgreSQL database passwords with Commander
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander KeeperPAM commands
This plugin allows rotating a user's password in PostgreSQL Server
Prerequisites
Install psycopg2-binary
Prepare Record For Rotation
Create a Record for Rotation
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
Set the PostgreSQL Login Name and Password
Populate the 'Login' field of the Keeper record with the PostgreSQL login name
Set the Hostname and Port
If using an untyped record, the host and port can be set to custom fields. See below.
TIP: If no rotation plugin is specified, Commander will use the port number or host prefix to guess which rotation to use. Port 5432, or a hostname that begins with "postgresql://" will use PostgreSQL rotation
Enter the Database Name
Add a custom field to the record labeled "cmdr:db" and fill the field with the name of the database to use.
Optional Record Fields
These fields can be added to affect the rotation
cmdr:plugin
postgresql
(Optional) Tells Commander to use PostgreSQL rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of your PostgreSQL server. Legacy records require this custom field, typed records can use the hostname and port fields.
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
cmdr:port
(Optional) PostgreSQL port. 5432 assumed if omitted
Integration with the Keeper Commander's connect
command
connect
commandCustom Field Name
Custom Field Value
connect:xxx:env:PGPASSWORD
${password}
connect:xxx
psql --host=${cmdr:host} --port=${cmdr:port} --username=${login} --dbname=${cmdr:db} --no-password
Here's a screenshot of the Keeper Vault record for this use case:
For more information on the connect
command, see the documentation
Last updated