You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/features/authentication.md
+67-24Lines changed: 67 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,51 +51,94 @@ Available options currently are:
51
51
52
52
Server authentication method is controlled by PostgreSQL. PgDog will use whatever method Postgres requests during connection creation, which is configurable in [`pg_hba.conf`](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html).
53
53
54
-
PgDog currently supports two authentication methods for server connections:
54
+
PgDog currently supports three authentication methods for server connections:
55
55
56
56
1. Password authentication, using any of the [client authentication](#client-authentication) methods
57
57
2. AWS RDS IAM authentication
58
+
3. Azure Workload Identity authentication
58
59
59
60
60
61
#### RDS IAM authentication
61
62
62
-
!!! note "Experimental feature"
63
-
This feature is new and experimental. Please report any issues you may encounter.
64
-
65
63
PgDog supports authenticating to RDS PostgreSQL (and Aurora) databases using [IAM](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html). This is configurable on a user-per-user basis, for example:
66
64
67
-
```toml
68
-
[[users]]
69
-
name = "pgdog"
70
-
database = "prod"
71
-
server_auth = "rds_iam"
72
-
```
65
+
=== "users.toml"
66
+
```toml
67
+
[[users]]
68
+
name = "pgdog"
69
+
database = "prod"
70
+
server_auth = "rds_iam"
71
+
```
72
+
=== "Helm chart"
73
+
```yaml
74
+
users:
75
+
- name: pgdog
76
+
database: prod
77
+
serverAuth: rds_iam
78
+
```
79
+
80
+
#### Azure Workload Identity authentication
81
+
82
+
Similar to RDS IAM, PgDog can authenticate to PostgreSQL running in Azure using the built-in Workload Identity provider. This is configurable on a user-per-user basis, for example:
83
+
84
+
=== "users.toml"
85
+
```toml
86
+
[[users]]
87
+
name = "pgdog"
88
+
database = "prod"
89
+
server_auth = "azure_workload_identity"
90
+
```
91
+
=== "Helm chart"
92
+
```yaml
93
+
users:
94
+
- name: pgdog
95
+
database: prod
96
+
serverAuth: azure_workload_identity
97
+
```
73
98
74
99
## Add users
75
100
76
101
[`users.toml`](../configuration/users.toml/users.md) follows a simple TOML list structure. To add users, simply add another `[[users]]` section, e.g.:
77
102
78
-
```toml
79
-
[[users]]
80
-
name = "pgdog"
81
-
database = "pgdog"
82
-
password = "hunter2"
83
-
```
103
+
=== "users.toml"
104
+
```toml
105
+
[[users]]
106
+
name = "pgdog"
107
+
database = "pgdog"
108
+
password = "hunter2"
109
+
```
110
+
=== "Helm chart"
111
+
```yaml
112
+
users:
113
+
- name: pgdog
114
+
database: pgdog
115
+
password: hunter2
116
+
```
84
117
85
118
PgDog will expect clients connecting as `pgdog` to provide the password `hunter2` (hashed with `scram-sha-256` by default), and will use the same username and password to connect to PostgreSQL.
86
119
87
120
### Override server credentials
88
121
89
122
You can override the user and/or password PgDog uses to connect to Postgres by specifying `server_user` and `server_password` in the same configuration:
90
123
91
-
```toml
92
-
[[users]]
93
-
name = "pgdog"
94
-
password = "hunter2"
95
-
database = "pgdog"
96
-
server_user = "bob"
97
-
server_password = "opensesame"
98
-
```
124
+
=== "users.toml"
125
+
```toml
126
+
[[users]]
127
+
name = "pgdog"
128
+
password = "hunter2"
129
+
database = "pgdog"
130
+
server_user = "bob"
131
+
server_password = "opensesame"
132
+
```
133
+
=== "Helm chart"
134
+
```yaml
135
+
users:
136
+
- name: pgdog
137
+
password: hunter2
138
+
database: pgdog
139
+
serverUser: bob
140
+
serverPassword: opensesame
141
+
```
99
142
100
143
This allows you to separate client and server credentials. In case your clients accidentally leak theirs, you only need to rotate them in the PgDog configuration, without having to take downtime to change passwords in PostgreSQL.
0 commit comments