This guide will show you how to:
- Deploy the Authenticator.
- Store database credentials in Vault to be retrieved by the Authenticator.
- Connect to a Postgres database through the Approzium Python SDK.
Deploying the Authenticator
- Head to our latest release
- Choose the appropriate binary for your operating system, and run it with a set of commands like:
For availability, we recommend running the Authenticator in a long-running environment (such as an EC2 instance) rather than in a short-lived environment (like in AWS Lambda).
Storing Credentials in Vault
The Authenticator expects credentials for a single database user as a secret stored against the database user as the key. The secret contains the database password and a set of IAM roles allowed to access the credentials in the following structure.
For database access to be granted to a caller, the caller's exact
iam_arn must be listed, unless the caller has assumed a role.
For assumed roles, either the role ARN or the assumed role ARN may be used to grant access.
Enable Vault KV Version 1 (see Vault documentation for more information).
Put the secret at path
approzium/<DATABASE_HOST:DATABASE_PORT> with your database user as the key.
Install the SDK in your client.
Connect to your database as follows. (Note: TLS should not be disabled in production environments, see our Python guide for how to configure them.)