Skip to main content

Configure your database user

Learn how to configure the Piiano Vault Postgresql user

info

This guide is relevant for the self-hosted server version of Vault. In the hosted version of Vault, the Vault database user is preconfigured according to the best practices mentioned in this guide.

Overview

Following the principle of least privilege, the Vault database user should not be a super user of the entire database instance. It's sufficient to allocate all privileges only on the logical database used by Vault.

The only exception is when creating the pg_stat_statments extension required for query statistics. See Configure your database to collect query statistics for instructions on how to configure it. That configuration should be performed only once and as a super user.

The Vault database user

For simplicity, the instructions in this section assume that the database user name is pvault and the password is pvault. When you create the user, use a strong password. Also, if you use a different user name, you must update the environment variable PVAULT_DB_USER.

Create the user and grant neccessary permissions:

-- create the user. Replace with your password.
CREATE USER pvault WITH PASSWORD 'pvault';

-- Allow Vault to connect to the database as this user
GRANT CONNECT ON DATABASE pvault TO pvault;

-- Allow Vault to reference objects from the schema
GRANT USAGE ON SCHEMA public TO pvault;

-- Allow Vault to perform operations on objects in the schema
GRANT ALL ON ALL TABLES IN SCHEMA public TO pvault;

Reducing permissions (optional)

You can also remove the two unused default capabilities from the user: TRIGGER and TRUNCATE by running this command:

-- remove default permissions
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM PUBLIC;
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM PUBLIC;

-- specifically only grant SELECT/INSERT/UPDATE and DELETE
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO pvault;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO pvault;
note

The priority of this step is low from a security risk management perspective.