# PostgreSQL Plugin

{% hint style="warning" %}
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

* [Password Rotation with KeeperPAM](/keeperpam/secrets-manager/password-rotation.md)
* Commander [KeeperPAM commands](/keeperpam/commander-cli/command-reference/keeperpam-commands.md)
  {% endhint %}

This plugin allows rotating a user's password in PostgreSQL Server

## Prerequisites

#### Install psycopg2-binary

```
pip3 install psycopg2-binary
```

## Prepare Record For Rotation

### Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

{% hint style="info" %}
See the [Troubleshooting ](/keeperpam/commander-cli/troubleshooting-commander-cli.md#typed-vs-untyped-records-v3-vs-v2)section for more information on legacy vs typed records
{% endhint %}

### Set the PostgreSQL Login Name and Password

**Populate the 'Login' field of the Keeper record with the PostgreSQL login name**

![Commander will use the login and password to login to the PostgreSQL account](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F4TNMCZKhejp3vlE8tBCN%2Fimage.png?alt=media\&token=4cfaa6bd-a624-4e25-aea3-38d59984e901)

### Set the Hostname and Port

![](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fqo9RDE4VL2UddhfXobQn%2Fimage.png?alt=media\&token=cd25a90a-e050-4263-bb09-391ea39e4035)

If using an untyped record, the host and port can be set to custom fields. See below.

{% hint style="info" %}
TIP: If no rotation plugin is specified, Commander will use the port number or host prefix to guess which rotation to use. Port 5432, or a hostname that begins with "postgresql://" will use PostgreSQL rotation
{% endhint %}

### Enter the Database Name

Add a custom field to the record labeled "cmdr:db" and fill the field with the name of the database to use.

![](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FwoGgeVwEBlsI9B4g7ffZ%2Fimage.png?alt=media\&token=f4950821-af11-48d5-bf7b-b92322d22e69)

### Optional Record Fields

These fields can be added to affect the rotation

| Label       | Value                                                                       | Comment                                                                                                                             |
| ----------- | --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| cmdr:plugin | postgresql                                                                  | (Optional) Tells Commander to use PostgreSQL rotation. This should be either set to the record, or supplied to the rotation command |
| cmdr:host   |                                                                             | Hostname of your PostgreSQL server. Legacy records require this custom field, typed records can use the hostname and port fields.   |
| cmdr:rules  | <p># uppercase, # lowercase, # numeric, # special'</p><p>(e.g. 4,6,3,8)</p> | (Optional) Password generation rules                                                                                                |
| cmdr:port   |                                                                             | (Optional) PostgreSQL port. 5432 assumed if omitted                                                                                 |

## Integration with the Keeper Commander's `connect` command

| Custom Field Name          | Custom Field Value                                                                                 |
| -------------------------- | -------------------------------------------------------------------------------------------------- |
| connect:xxx:env:PGPASSWORD | ${password}                                                                                        |
| connect:xxx                | psql --host=${cmdr:host} --port=${cmdr:port} --username=${login} --dbname=${cmdr:db} --no-password |

Here's a screenshot of the Keeper Vault record for this use case:

![A Keeper Record setup for connection](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJXOXEifAmpyvNVL1to%2F-Mf3OKL0C-A5D2nQFew1%2F-Mf4CgBqohGZ1_sEVoQH%2Fimage.png?alt=media\&token=86e1e38c-0c84-4aa6-bcc4-bdefd9c4113c)

{% hint style="info" %}
For more information on the `connect` command, see the [documentation](/keeperpam/commander-cli/command-reference/connection-commands/connection-to-hosts.md)
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/commander-cli/command-reference/plugins/postgresql-plugin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.