mirror of
https://github.com/Infisical/infisical.git
synced 2026-05-02 03:02:03 -04:00
147 lines
6.2 KiB
Plaintext
147 lines
6.2 KiB
Plaintext
---
|
|
title: "PostgreSQL"
|
|
description: "Learn how to dynamically generate PostgreSQL database users."
|
|
---
|
|
|
|
The Infisical PostgreSQL dynamic secret allows you to generate PostgreSQL database credentials on demand based on configured role.
|
|
|
|
## Prerequisite
|
|
|
|
Create a user with the required permission in your SQL instance. This user will be used to create new accounts on-demand.
|
|
|
|
|
|
## Set up Dynamic Secrets with PostgreSQL
|
|
|
|
<Steps>
|
|
<Step title="Open Secret Overview Dashboard">
|
|
Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
|
|
</Step>
|
|
<Step title="Click on the 'Add Dynamic Secret' button">
|
|
|
|
</Step>
|
|
<Step title="Select `SQL Database`">
|
|
|
|
</Step>
|
|
<Step title="Provide the inputs for dynamic secret parameters">
|
|
<ParamField path="Secret Name" type="string" required>
|
|
Name by which you want the secret to be referenced
|
|
</ParamField>
|
|
|
|
<ParamField path="Default TTL" type="string" required>
|
|
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
|
|
</ParamField>
|
|
|
|
<ParamField path="Max TTL" type="string" required>
|
|
Maximum time-to-live for a generated secret
|
|
</ParamField>
|
|
|
|
<ParamField path="Metadata" type="list" required>
|
|
List of key/value metadata pairs
|
|
</ParamField>
|
|
|
|
<ParamField path="Service" type="string" required>
|
|
Choose the service you want to generate dynamic secrets for. This must be selected as **PostgreSQL**.
|
|
</ParamField>
|
|
|
|
<ParamField path="Host" type="string" required>
|
|
Database host
|
|
</ParamField>
|
|
|
|
<ParamField path="Port" type="number" required>
|
|
Database port
|
|
</ParamField>
|
|
|
|
<ParamField path="User" type="string" required>
|
|
Username that will be used to create dynamic secrets
|
|
</ParamField>
|
|
|
|
<ParamField path="Password" type="string" required>
|
|
Password that will be used to create dynamic secrets
|
|
</ParamField>
|
|
|
|
<ParamField path="Database Name" type="string" required>
|
|
Name of the database for which you want to create dynamic secrets
|
|
</ParamField>
|
|
|
|
<ParamField path="CA(SSL)" type="string">
|
|
A CA may be required if your DB requires it for incoming connections. AWS RDS instances with default settings will requires a CA which can be downloaded [here](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions).
|
|
</ParamField>
|
|
|
|
|
|
|
|
</Step>
|
|
<Step title="(Optional) Modify SQL Statements">
|
|
|
|
<ParamField path="Username Template" type="string" default="{{randomUsername}}">
|
|
Specifies a template for generating usernames. This field allows customization of how usernames are automatically created.
|
|
|
|
Allowed template variables are
|
|
- `{{randomUsername}}`: Random username string
|
|
- `{{unixTimestamp}}`: Current Unix timestamp
|
|
- `{{identity.name}}`: Name of the identity that is generating the secret
|
|
- `{{random N}}`: Random string of N characters
|
|
|
|
Allowed template functions are
|
|
- `truncate`: Truncates a string to a specified length
|
|
- `replace`: Replaces a substring with another value
|
|
|
|
Examples:
|
|
```
|
|
{{randomUsername}} // 3POnzeFyK9gW2nioK0q2gMjr6CZqsRiX
|
|
{{unixTimestamp}} // 17490641580
|
|
{{identity.name}} // testuser
|
|
{{random-5}} // x9k2m
|
|
{{truncate identity.name 4}} // test
|
|
{{replace identity.name 'user' 'replace'}} // testreplace
|
|
```
|
|
</ParamField>
|
|
<ParamField path="Customize SQL Statement" type="string">
|
|
If you want to provide specific privileges for the generated dynamic credentials, you can modify the SQL statement to your needs. This is useful if you want to only give access to a specific table(s).
|
|
</ParamField>
|
|
</Step>
|
|
<Step title="Click 'Submit'">
|
|
After submitting the form, you will see a dynamic secret created in the dashboard.
|
|
|
|
<Note>
|
|
If this step fails, you may have to add the CA certificate.
|
|
</Note>
|
|
|
|
|
|
</Step>
|
|
<Step title="Generate dynamic secrets">
|
|
Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
|
|
To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
|
|
Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
|
|
|
|
|
|
|
|
|
|
When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
|
|
|
|
|
|
|
|
<Tip>
|
|
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.
|
|
</Tip>
|
|
|
|
|
|
Once you click the `Submit` button, a new secret lease will be generated and the credentials for it will be shown to you.
|
|
|
|
|
|
</Step>
|
|
</Steps>
|
|
|
|
## Audit or Revoke Leases
|
|
Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
|
|
This will allow you to see the expiration time of the lease or delete the lease before it's set time to live.
|
|
|
|
|
|
|
|
## Renew Leases
|
|
To extend the life of the generated dynamic secret leases past its initial time to live, simply click on the **Renew** button as illustrated below.
|
|
|
|
|
|
<Warning>
|
|
Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret
|
|
</Warning>
|