PostgreSQL Connections
Keeper Connections - PostgreSQL Protocol
Overview
KeeperPAM enables zero-trust privileged session management for PostgreSQL databases through an interactive CLI or the visual KeeperDB interface. This guide shows how to configure PostgreSQL connections on PAM Database records in the Keeper Vault. Sessions start from the Vault, route through the Keeper Gateway, and connect to the target database.
Prerequisites
Before you begin, review the connection prerequisites on Getting Started.
You need these records to configure a PostgreSQL connection:
Stores the infrastructure details needed to reach the target.
Stores the PostgreSQL host and connection details.
Stores the PostgreSQL credentials used for the session.
This guide uses a PostgreSQL Database record as the target.
PAM Settings - PostgreSQL Protocol
Accessing connection settings
After you create the target PAM record, open the connection settings:
Edit the PAM record.
Click Set Up in PAM Settings.
Open the Connection section.
Configuring connection settings
Before you configure the PostgreSQL protocol, set these required fields:
PAM Configuration
The PAM Configuration provides access to the target defined on the record.
Administrative Credential Record
The linked PAM User used for authentication and administrative actions.
The following table lists the PostgreSQL-specific connection settings:
Protocol
Required. Select PostgreSQL. Keeper populates the available settings for this protocol.
Enable Connection
Required. Enable this toggle to allow launches from the record.
Graphical Session Recording
Enables graphical session recording for this connection.
Text Session Recording (Typescript)
Enables raw text session recording with timing data.
Include Key Events
Includes keystrokes in playback. This can capture typed secrets.
Connection Port
Uses the port on the PAM Database by default. Override it here if needed. The default PostgreSQL port is 5432.
Launch Credentials
Uses the selected credentials to authenticate the session. See Connection Authentication Methods.
Allow users to select credentials from their vault
Lets users choose their own private vault credentials. See Connection Authentication Methods.
Rotate launch credentials upon session termination
Rotates the selected launch credential when the session ends.
Default Database
Selects the default database when the session starts.
Can download
Allows CSV export with PostgreSQL \COPY ... TO.
Can upload
Allows CSV import with PostgreSQL \COPY ... FROM.
Can copy to clipboard
Lets users copy text from the session.
Can paste from clipboard
Lets users paste local clipboard content into the session.
Font name
Sets the terminal font. Use a monospaced font installed on the server running guacd.
Font size
Sets the terminal font size in points. The default is 12.
Maximum scrollback size
Sets the maximum terminal scrollback buffer. The default is 1000 rows.
Read-only
Prevents all input. Users can view the session but cannot interact.
Connection Authentication Methods
PostgreSQL connections support these authentication methods:
Launch Credential Keeper uses the credential linked on the PAM record. Users do not need direct access to that credential.
Personal/Private Credential When Allow users to select credentials from their vault is enabled, users can authenticate with their own private vault credential.
Ephemeral Accounts Keeper creates a temporary privileged account for the session and deletes it after the session ends. This supports Just-In-Time access.
Session Recordings - PostgreSQL Protocol
For this protocol, Keeper records both the graphical session and the full raw text stream, including timing data. Learn how to access and review recordings on Session Recording & Playback.
Learn more about Session Recording & Playback
Connection Templates
You can also configure the PAM record as a connection template. Connection templates let users launch sessions without predefining a specific hostname or credential.
Learn more about Connection Templates
Last updated