{"id":45289,"date":"2023-09-13T07:29:09","date_gmt":"2023-09-13T05:29:09","guid":{"rendered":"https:\/\/www.inovex.de\/?p=45289"},"modified":"2023-09-14T08:51:38","modified_gmt":"2023-09-14T06:51:38","slug":"secure-postgres-connections-pgbouncer-vault-sidecar","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/","title":{"rendered":"Securely Managing Postgres Connections with pgbouncer-vault-sidecar"},"content":{"rendered":"<p>inovex has released a\u00a0sidecar container image to ease the use of short-lived Postgres database credentials \u2013 <a href=\"https:\/\/github.com\/inovex\/pgbouncer-vault-sidecar\" target=\"_blank\" rel=\"noopener\">pgbouncer-vault-sidecar<\/a>. With the use of Vault, this makes injecting database credentials into pods obsolete.<!--more--><\/p>\n<p>In today&#8217;s age, security is of utmost importance, especially for organizations handling sensitive data. One common way to increase security is to use short-lived credentials, which help limit the time attackers have to exploit a vulnerability. This approach reduces the risk of credentials being stolen or misused, making it a highly effective security measure.<\/p>\n<p>HashiCorp Vault is a popular solution for securely managing short-lived credentials. It provides a centralized management system for secrets, such as database credentials. Access to secrets can be managed via policies and audit logs help to identify intrusions. However, integrating Vault with your application can be complex and time-consuming. Applications have to deal with:<\/p>\n<ul>\n<li>Authenticating against Vault<\/li>\n<li>Obtaining secrets from Vault<\/li>\n<li>Renewing the leased credentials<\/li>\n<li>Coping with rotating credentials<\/li>\n<\/ul>\n<p>HashiCorp has created Vault Agent to deal with most of the problems. However, coping with rotating credentials is challenging. Applications should adopt the new credentials while continuing to run to avoid downtime.<\/p>\n<p>Let\u2019s take database credentials as an example. Many applications depend on a database, such as Postgres, and use credentials to authenticate against it over the network. If the credentials were to change frequently, the application has to detect the change and update the database connections gracefully without interrupting service. This requires code changes in every application that wants to make use of Vault. In the worst-case scenario, an application cannot be changed.<\/p>\n<p>This is where pgbouncer-vault-sidecar comes in. It is a project developed by inovex that simplifies the integration process, making it easier for developers to use Vault to manage their Postgres credentials.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#How-it-works\" >How it works<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#Lets-see-it-in-action\" >Let\u2019s see it in action<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"How-it-works\"><\/span>How it works<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>pgbouncer-vault-sidecar is a sidecar that can be deployed with your application. It serves as a connection pooler and takes care of authentication. It exposes the database to the main application via localhost where the pod serves as a security boundary. The sidecar is easy to configure and works with every application that uses Postgres \u2013 legacy or cloud-native.<\/p>\n<p><a href=\"https:\/\/www.inovex.de\/wp-content\/uploads\/diagram.svg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-45290 size-large\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/diagram.svg\" alt=\"\" width=\"640\" height=\"388\" \/><\/a><\/p>\n<p>The sidecar authenticates against Vault, obtains and renews leases for database credentials, connects to the database, and switches to new credentials once the lease can no longer be renewed.<\/p>\n<p>Aside from authentication, being a connection pooler, the sidecar also helps to <a href=\"https:\/\/dataegret.com\/2015\/06\/3-reasons-to-use-pgbouncer\/\" target=\"_blank\" rel=\"noopener\">reduce resource consumption<\/a> on the database server and can provide metrics on database connections.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Lets-see-it-in-action\"><\/span>Let\u2019s see it in action<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To show the benefit of the sidecar, we need Vault, a Postgres database cluster, and a demo application running inside Kubernetes.<\/p>\n<p>We choose Minikube to provision a developer cluster:<\/p>\n<pre class=\"lang:sh decode:true \">$ minikube start\r\n...\r\nDone! kubectl is now configured to use \"minikube\" cluster and \"default\" namespace by default<\/pre>\n<p>Once our cluster is ready, we deploy Vault and a Postgres database. kubectl should be configured to use the \u201cdefault\u201c namespace.<\/p>\n<pre class=\"lang:sh decode:true \">$ kubectl apply -f - &lt;&lt;EOF\r\napiVersion: v1\r\nkind: ServiceAccount\r\nmetadata:\r\n  name: vault\r\n---\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nkind: ClusterRoleBinding\r\nmetadata:\r\n  name: role-tokenreview-binding\r\nroleRef:\r\n  apiGroup: rbac.authorization.k8s.io\r\n  kind: ClusterRole\r\n  name: system:auth-delegator\r\nsubjects:\r\n- kind: ServiceAccount\r\n  name: vault\r\n  namespace: default\r\n---\r\napiVersion: v1\r\nkind: Service\r\nmetadata:\r\n  name: vault\r\nspec:\r\n  selector:\r\n    app: vault\r\n  ports:\r\n  - protocol: TCP\r\n    port: 8200\r\n    targetPort: 8200\r\n---\r\napiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n  name: vault\r\n  labels:\r\n    app: vault\r\nspec:\r\n  serviceAccountName: vault\r\n  containers:\r\n  - name: vault\r\n    image: hashicorp\/vault:1.13.2\r\n    command:\r\n    - vault\r\n    - server\r\n    - -dev\r\n    - -dev-root-token-id=root\r\n    - -dev-listen-address=0.0.0.0:8200\r\n    env:\r\n    - name: VAULT_ADDR\r\n      value: http:\/\/0.0.0.0:8200\r\n  restartPolicy: OnFailure\r\n---\r\napiVersion: v1\r\nkind: Service\r\nmetadata:\r\n  name: postgres\r\nspec:\r\n  selector:\r\n    app: postgres\r\n  ports:\r\n    - protocol: TCP\r\n      port: 5432\r\n      targetPort: 5432\r\n---\r\napiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n  name: postgres\r\n  labels:\r\n    app: postgres\r\nspec:\r\n  containers:\r\n  - name: postgres\r\n    image: postgres:14.7\r\n    env:\r\n    - name: POSTGRES_PASSWORD\r\n      value: supersecret\r\n  restartPolicy: OnFailure\r\nEOF\r\n<\/pre>\n<p>Vault allows applications to authenticate via Kubernetes service accounts. We have to enable this in Vault.<\/p>\n<pre class=\"lang:sh decode:true \">$ kubectl exec vault -- vault auth enable kubernetes\r\n$ kubectl exec vault -- vault write auth\/kubernetes\/config kubernetes_host=https:\/\/kubernetes.default.svc.cluster.local. kubernetes_ca_cert=@\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/ca.crt token_reviewer_jwt=@\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token<\/pre>\n<p>Furthermore, we have to add the Postgres cluster to Vault and define a database role. This role is used to create short-lived roles in Postgres (HashiCorp and Postgres use the term role differently). We purposefully set the TTL and max TTL to a low value to demonstrate that leases are automatically renewed and PGBouncer switches to new credentials seamlessly. In production, those values should be higher.<\/p>\n<pre class=\"lang:sh decode:true \">$ kubectl exec vault -- vault secrets enable database\r\n$ kubectl exec vault -- vault write database\/config\/my-database plugin_name=postgresql-database-plugin allowed_roles=\"readonly\" connection_url=\"postgresql:\/\/postgres:supersecret@postgres.default.svc.cluster.local.:5432\/?sslmode=disable\"\r\n$ kubectl exec vault -- vault write database\/roles\/readonly db_name=my-database default_ttl=\"1m\" max_ttl=\"3m\" creation_statements=\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \\\"{{name}}\\\";\"<\/pre>\n<p>In order to use the role \u201creadonly\u201c we have to bind the application service account to yet another role (in the context of the Kubernetes authentication method) and assign a policy in order to obtain a lease for \u201creadonly\u201c.<\/p>\n<pre class=\"lang:sh decode:true \">$ kubectl exec vault -- vault write auth\/kubernetes\/role\/my-applcation bound_service_account_names=my-application bound_service_account_namespaces=default policies=my-database-readonly ttl=1h\r\n$ kubectl exec vault -i -- vault policy write my-database-readonly - &lt;&lt;EOF\r\npath \"database\/creds\/readonly\" {\r\n  capabilities = [\"read\", \"list\"]\r\n}\r\nEOF<\/pre>\n<p>Now we have everything set up to start our application. For demonstration purposes, we continuously query the current user (from the perspective of Postgres).<\/p>\n<pre class=\"lang:sh decode:true \">$ kubectl apply -f - &lt;&lt;EOF\r\napiVersion: v1\r\nkind: ServiceAccount\r\nmetadata:\r\n  name: my-application\r\n---\r\napiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n  name: my-application\r\nspec:\r\n  serviceAccountName: my-application\r\n  restartPolicy: OnFailure\r\n  containers:\r\n  - name: main-application\r\n    image: postgres\r\n    command:\r\n    - bash\r\n    - -c\r\n    - while true; do psql --host=localhost --dbname=postgres --command='SELECT NOW(), current_user;'; sleep 20; done\r\n  - name: pgbouncer-vault-sidecar\r\n    image: ghcr.io\/inovex\/pgbouncer-vault-sidecar:0.3.0\r\n    env:\r\n    - name: VAULT_ADDR\r\n      value: http:\/\/vault.default.svc.cluster.local.:8200\r\n    - name: VAULT_PATH\r\n      value: database\/creds\/readonly\r\n    - name: VAULT_KUBERNETES_ROLE\r\n      value: my-applcation\r\n    - name: DB_NAME\r\n      value: postgres\r\n    - name: DB_HOST\r\n      value: postgres.default.svc.cluster.local.\r\n    - name: TLS_MODE\r\n      value: disable\r\nEOF\r\n$ kubectl logs -c main-application --follow my-application\r\n...\r\n         \tnow         \t|                \tcurrent_user               \t \r\n-----------------------------+----------------------------------------------------\r\n 2023-05-04 13:20:14.9637+00 | v-kubernet-my-role-CC0I3yH3NgU01KHT5rRR-1683206244\r\n(1 row)\r\n\r\n          \tnow          \t|                \tcurrent_user               \t \r\n-------------------------------+----------------------------------------------------\r\n 2023-05-04 13:20:35.033061+00 | v-kubernet-my-role-5Ls2ZFVqnwWJ3bBqF3Kf-1683206409\r\n(1 row)\r\n...\r\n<\/pre>\n<p>The main application can now connect to Postgres with minimal configuration! Looking at the logs, we can see that the user changes once the maximum lease time has been reached (3 minutes). PGBouncer automatically adapted the new credentials.<\/p>\n<p>PGBouncer is configured for transaction pooling. That is, a connection to Postgres is blocked by the application until the transaction is committed (or aborted). PGBouncer switches to the new credentials gracefully (see <a href=\"http:\/\/www.pgbouncer.org\/usage.html\">RELOAD<\/a>). That means that long-running transactions keep using the old role, while new transactions use the new role.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>pgbouncer-vault-sidecar is a simple and secure way to introduce short-lived credentials into your application. By leveraging the sidecar pattern, you can easily integrate Vault into any application that uses Postgres without adding unnecessary complexity.<\/p>\n<p>We encourage you to try out pgbouncer-vault-sidecar. It is available on <a href=\"https:\/\/github.com\/inovex\/pgbouncer-vault-sidecar\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>. Contributions are welcome \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>inovex has released a\u00a0sidecar container image to ease the use of short-lived Postgres database credentials \u2013 pgbouncer-vault-sidecar. With the use of Vault, this makes injecting database credentials into pods obsolete.<\/p>\n","protected":false},"author":196,"featured_media":47317,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[136,71,733,66,114,734],"service":[422,423],"coauthors":[{"id":196,"display_name":"Bj\u00f6rn Fischer","user_nicename":"bfischer"}],"class_list":["post-45289","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-authentication","tag-cloud","tag-cloud-en-2","tag-devops","tag-kubernetes","tag-kubernetes-en-2","service-it-engineering","service-kubernetes"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Secure Postgres Connections with pgbouncer-vault-sidecar - inovex GmbH<\/title>\n<meta name=\"description\" content=\"inovex has released a\u00a0sidecar container image to ease the use of short-lived Postgres database credentials. This article show how it works.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure Postgres Connections with pgbouncer-vault-sidecar - inovex GmbH\" \/>\n<meta property=\"og:description\" content=\"inovex has released a\u00a0sidecar container image to ease the use of short-lived Postgres database credentials. This article show how it works.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-13T05:29:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-14T06:51:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/secure-connections-with-pgbouncer-vault-sidecar.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Bj\u00f6rn Fischer\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/secure-connections-with-pgbouncer-vault-sidecar-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Bj\u00f6rn Fischer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"6\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Bj\u00f6rn Fischer\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/\"},\"author\":{\"name\":\"Bj\u00f6rn Fischer\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/787ee4bac1886f882a67cd821a5bbb88\"},\"headline\":\"Securely Managing Postgres Connections with pgbouncer-vault-sidecar\",\"datePublished\":\"2023-09-13T05:29:09+00:00\",\"dateModified\":\"2023-09-14T06:51:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/\"},\"wordCount\":749,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/secure-connections-with-pgbouncer-vault-sidecar.png\",\"keywords\":[\"Authentication\",\"Cloud\",\"Cloud\",\"DevOps\",\"Kubernetes\",\"Kubernetes\"],\"articleSection\":[\"English Content\",\"General\",\"Infrastructure\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/\",\"name\":\"Secure Postgres Connections with pgbouncer-vault-sidecar - inovex GmbH\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/secure-connections-with-pgbouncer-vault-sidecar.png\",\"datePublished\":\"2023-09-13T05:29:09+00:00\",\"dateModified\":\"2023-09-14T06:51:38+00:00\",\"description\":\"inovex has released a\u00a0sidecar container image to ease the use of short-lived Postgres database credentials. This article show how it works.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/secure-connections-with-pgbouncer-vault-sidecar.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/secure-connections-with-pgbouncer-vault-sidecar.png\",\"width\":1920,\"height\":1080,\"caption\":\"the postgres elephant logo on a padlock\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/secure-postgres-connections-pgbouncer-vault-sidecar\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securely Managing Postgres Connections with pgbouncer-vault-sidecar\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/787ee4bac1886f882a67cd821a5bbb88\",\"name\":\"Bj\u00f6rn Fischer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e7500175ec2e4f01050a2dcd12dc3701344243cb9bb10eea220cc49aed21732f?s=96&d=retro&r=g0bbb20c32382ec889c04d197edd907cf\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e7500175ec2e4f01050a2dcd12dc3701344243cb9bb10eea220cc49aed21732f?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e7500175ec2e4f01050a2dcd12dc3701344243cb9bb10eea220cc49aed21732f?s=96&d=retro&r=g\",\"caption\":\"Bj\u00f6rn Fischer\"},\"sameAs\":[\"http:\\\/\\\/github.com\\\/fischerman\"],\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/bfischer\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secure Postgres Connections with pgbouncer-vault-sidecar - inovex GmbH","description":"inovex has released a\u00a0sidecar container image to ease the use of short-lived Postgres database credentials. This article show how it works.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/","og_locale":"de_DE","og_type":"article","og_title":"Secure Postgres Connections with pgbouncer-vault-sidecar - inovex GmbH","og_description":"inovex has released a\u00a0sidecar container image to ease the use of short-lived Postgres database credentials. This article show how it works.","og_url":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2023-09-13T05:29:09+00:00","article_modified_time":"2023-09-14T06:51:38+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/secure-connections-with-pgbouncer-vault-sidecar.png","type":"image\/png"}],"author":"Bj\u00f6rn Fischer","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/secure-connections-with-pgbouncer-vault-sidecar-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Bj\u00f6rn Fischer","Gesch\u00e4tzte Lesezeit":"6\u00a0Minuten","Written by":"Bj\u00f6rn Fischer"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/"},"author":{"name":"Bj\u00f6rn Fischer","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/787ee4bac1886f882a67cd821a5bbb88"},"headline":"Securely Managing Postgres Connections with pgbouncer-vault-sidecar","datePublished":"2023-09-13T05:29:09+00:00","dateModified":"2023-09-14T06:51:38+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/"},"wordCount":749,"commentCount":1,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/secure-connections-with-pgbouncer-vault-sidecar.png","keywords":["Authentication","Cloud","Cloud","DevOps","Kubernetes","Kubernetes"],"articleSection":["English Content","General","Infrastructure"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/","url":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/","name":"Secure Postgres Connections with pgbouncer-vault-sidecar - inovex GmbH","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/secure-connections-with-pgbouncer-vault-sidecar.png","datePublished":"2023-09-13T05:29:09+00:00","dateModified":"2023-09-14T06:51:38+00:00","description":"inovex has released a\u00a0sidecar container image to ease the use of short-lived Postgres database credentials. This article show how it works.","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/secure-connections-with-pgbouncer-vault-sidecar.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/secure-connections-with-pgbouncer-vault-sidecar.png","width":1920,"height":1080,"caption":"the postgres elephant logo on a padlock"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/secure-postgres-connections-pgbouncer-vault-sidecar\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"Securely Managing Postgres Connections with pgbouncer-vault-sidecar"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/787ee4bac1886f882a67cd821a5bbb88","name":"Bj\u00f6rn Fischer","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/secure.gravatar.com\/avatar\/e7500175ec2e4f01050a2dcd12dc3701344243cb9bb10eea220cc49aed21732f?s=96&d=retro&r=g0bbb20c32382ec889c04d197edd907cf","url":"https:\/\/secure.gravatar.com\/avatar\/e7500175ec2e4f01050a2dcd12dc3701344243cb9bb10eea220cc49aed21732f?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e7500175ec2e4f01050a2dcd12dc3701344243cb9bb10eea220cc49aed21732f?s=96&d=retro&r=g","caption":"Bj\u00f6rn Fischer"},"sameAs":["http:\/\/github.com\/fischerman"],"url":"https:\/\/www.inovex.de\/de\/blog\/author\/bfischer\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/45289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/196"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=45289"}],"version-history":[{"count":6,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/45289\/revisions"}],"predecessor-version":[{"id":47320,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/45289\/revisions\/47320"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/47317"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=45289"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=45289"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=45289"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=45289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}