open-vault/website/source/docs/secrets/databases/postgresql.html.md

---
layout: "docs"
page_title: "PostgreSQL Database Plugin - Database Secret Backend"
sidebar_current: "docs-secrets-databases-postgresql"
description: |-
  The PostgreSQL plugin for Vault's Database backend generates database credentials to access PostgreSQL.
---

# PostgreSQL Database Plugin

Name: `postgresql-database-plugin`

The PostgreSQL Database Plugin is one of the supported plugins for the Database
backend. This plugin generates database credentials dynamically based on
configured roles for the PostgreSQL database.

See the [Database Backend](/docs/secrets/databases/index.html) docs for more
information about setting up the Database Backend.

## Quick Start

After the Database Backend is mounted you can configure a PostgreSQL connection
by specifying this plugin as the `"plugin_name"` argument. Here is an example
configuration:

```
$ vault write database/config/postgresql \
    plugin_name=postgresql-database-plugin \
    allowed_roles="readonly" \
    connection_url="postgresql://root:root@localhost:5432/"

The following warnings were returned from the Vault server:
* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
```

Once the PostgreSQL connection is configured we can add a role. The PostgreSQL
plugin replaces `{{expiration}}` in statements with a formated timestamp:

```
$ vault write database/roles/readonly \
    db_name=postgresql \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
        GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"

Success! Data written to: database/roles/readonly
```

This role can be used to retrieve a new set of credentials by querying the
"database/creds/readonly" endpoint.

## API

The full list of configurable options can be seen in the [PostgreSQL database
plugin API](/api/secret/databases/postgresql.html) page.

For more information on the Database secret backend's HTTP API please see the [Database secret
backend API](/api/secret/databases/index.html) page.
Add website skeleton 2017-05-02 20:26:32 +00:00			`---`
			`layout: "docs"`
Rename database plugins for SEO (#3156) When we "nest" like this, it's important to use a common suffix, "Database Secret Backend" in this case, so that the SEO minions can properly group search results for end users. 2017-08-14 14:46:39 +00:00			`page_title: "PostgreSQL Database Plugin - Database Secret Backend"`
Add website skeleton 2017-05-02 20:26:32 +00:00			`sidebar_current: "docs-secrets-databases-postgresql"`
			`description: \|-`
			`The PostgreSQL plugin for Vault's Database backend generates database credentials to access PostgreSQL.`
			`---`

			`# PostgreSQL Database Plugin`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
			Name: `postgresql-database-plugin`

			`The PostgreSQL Database Plugin is one of the supported plugins for the Database`
			`backend. This plugin generates database credentials dynamically based on`
			`configured roles for the PostgreSQL database.`

Upate links in docs 2017-05-03 17:25:12 +00:00			`See the [Database Backend](/docs/secrets/databases/index.html) docs for more`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00			`information about setting up the Database Backend.`

			`## Quick Start`

			`After the Database Backend is mounted you can configure a PostgreSQL connection`
			by specifying this plugin as the `"plugin_name"` argument. Here is an example
Rename database plugins for SEO (#3156) When we "nest" like this, it's important to use a common suffix, "Database Secret Backend" in this case, so that the SEO minions can properly group search results for end users. 2017-08-14 14:46:39 +00:00			`configuration:`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
			```
			`$ vault write database/config/postgresql \`
			`plugin_name=postgresql-database-plugin \`
			`allowed_roles="readonly" \`
Few docs updates 2017-05-04 21:07:12 +00:00			`connection_url="postgresql://root:root@localhost:5432/"`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
			`The following warnings were returned from the Vault server:`
			`* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.`
			```

			`Once the PostgreSQL connection is configured we can add a role. The PostgreSQL`
			plugin replaces `{{expiration}}` in statements with a formated timestamp:

			```
			`$ vault write database/roles/readonly \`
			`db_name=postgresql \`
			`creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \`
			`GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \`
			`default_ttl="1h" \`
			`max_ttl="24h"`

			`Success! Data written to: database/roles/readonly`
			```

			`This role can be used to retrieve a new set of credentials by querying the`
			`"database/creds/readonly" endpoint.`

			`## API`

			`The full list of configurable options can be seen in the [PostgreSQL database`
Upate links in docs 2017-05-03 17:25:12 +00:00			`plugin API](/api/secret/databases/postgresql.html) page.`
Update docs for the database backend and it's plugins 2017-05-03 05:24:31 +00:00
add new mysql plugin names and fix grammar 2017-05-04 01:41:39 +00:00			`For more information on the Database secret backend's HTTP API please see the [Database secret`
Upate links in docs 2017-05-03 17:25:12 +00:00			`backend API](/api/secret/databases/index.html) page.`