The PostgreSQL service connector processes connection requests to a PostgreSQL database.

To secure connections, we support all of the PostgreSQL SSL options that you are familar with. For details, see sslmode.


Unlike other clients, the default sslmode for Secretless is require since most use cases require TLS. If your environment does not use TLS, turn it off if you can do so safely.

Configure the service connector

Configure the Secretless Broker to specify where to find your database connection details in the credentials section of the yaml file. This includes where to find your database's host, port, username, and password, as well as the sslmode details, such as the location of any relevant certificates and revocation lists, if applicable.

The options are as follows:





Host name of the PostgreSQL server.



Port of the PostgreSQL server.


(Default setting is 5432)


Username of the PostgreSQL account.



Password of the PostgreSQL account.



Determines if the connection between the Secretless Broker and your database is protected by SSL. Defaults to require.

For details on the supported values of this parameter, see SSL Modes.



The content of this parameter specifies the client SSL certificate, replacing the default ~/.postgresql/postgresql.crt. This parameter is ignored if an SSL connection is not made.



The content of this parameter specifies the SSL certificate authority (CA) certificate(s), replacing the default ~/.postgresql/root.crt. If present, the server's certificate is verified to be signed by one of these authorities.



The content of this parameter specifies the secret key used for the client certificate, replacing the default ~/.postgresql/postgresql.key. This parameter is ignored if an SSL connection is not made.


The PostgreSQL documentation website provides detail on the levels of protection provided by different values for the sslmode parameter.

Secretless supports the following SSL modes:




Try only a non-SSL connection.



Try only an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca was specified.


Try only an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA).


Try only an SSL connection, and verify the server certificate against the configured CA certificates (provided in the Secretless configuration via sslrootcert). In addition, the verify-full SSL mode option helps prevent man-in-the-middle attacks by performing a host name identity verification. Secretless checks the host name the client uses for connecting to the server against the identity provided in the certificate the server sends to the client. The connection fails if the host name does not match the certificate Common Name.

Secretless uses the value of the host parameter in the Secretless configuration to perform the host name identity verification. If desired, you can override this value for the purpose of the certificate check by providing a value for the sslhost configuration parameter.



Secretless does not currently support the allow, prefer, or verify-full SSL modes, and does not yet support providing an SSL certificate revocation list (eg ssl-crl). See GitHub Issues for information on future support for these modes.

When sslmode is set to require or verify-ca, the optional SSL configuration parameters sslcert, sslkey, and sslrootcert may be necessary. The particular values needed depend on your use case; more information on these parameters can be found in the PostgreSQL documentation.


See also

Troubleshoot Secretless Service Connectors