Passwordless Access to Neon DB

You can seamless zero trust, secret-less access to NeonDB or any SaaS PostgreSQL-based database (read more about MYSQL Services here) without having to share and manage passwords (read more about secret-less access here).

First we need to create a Secret for the database's password as follows:

octeliumctl create secret neondb-password

Now we create a Service for our database as follows:

1kind: Service
2metadata:
3  name: neondb
4spec:
5  mode: POSTGRES
6  config:
7    upstream:
8      url: postgres://ep-shiny-math-<123456>.eu-central-1.aws.neon.tech
9    postgres:
10      user: <USER>
11      database: neondb
12      auth:
13        password:
14          fromSecret: neondb-password
15      sslMode: REQUIRE

You can now apply the creation of the Service as follows (read more here):

octeliumctl apply /PATH/TO/SERVICE.YAML

Now after connecting to the Cluster via the octelium connect command (read more about connecting to Clusters here), you can simply access the database whose hostname is at neondb.default or simply neondb (read more here) as follows:

psql -h neondb

You can also provide dynamic secret-less access where you can set different users, databases and passwords for different Users under different contexts. Read more about dynamic configuration here. Here is an example where Users belonging to the production or admins Groups access a production database while the rest access a development database:

1apiVersion: core/v1
2kind: Service
3metadata:
4  name: neondb
5spec:
6  mode: POSTGRES
7  port: 5432
8  dynamicConfig:
9    configs:
10      - name: production
11        upstream:
12          url: postgres://production-db.eu-central-1.aws.neon.tech
13        postgres:
14          user: prod-user
15          database: prod-db
16          auth:
17            password:
18              fromSecret: prod-password
19          sslMode: REQUIRE
20      - name: development
21        upstream:
22          url: postgres://development-db.eu-central-1.aws.neon.tech
23        postgres:
24          user: dev-user
25          database: dev-db
26          auth:
27            password:
28              fromSecret: dev-password
29          sslMode: REQUIRE
30    rules:
31      - condition:
32          match: ctx.user.spec.groups.hasAny("production", "admins")
33        configName: production
34      - condition:
35          matchAny: true
36        configName: development

NOTE

You might also want to read about Octelium's PostgreSQL L7 aware access control here

Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for PostgreSQL here). You can read more about visibility here.