Datasources

Last modified on September 17, 2024

A Datasource is a combination of a specific database and the credentials to access it.

When a Role is assigned a Datasource, that entity inherits the permissions associated with the credential in that Datasource.

In cases where multiple credentials are desirable for a given host address, the Datasource can be cloned, with an alternate credential provided. This can allow different StrongDM users to connect to the same resource, but with different sets of credentials that allow them differing levels of access.

Example: Alice wishes to grant read-only access to a Microsoft SQL Server instance previously set up in StrongDM with read-write access. Alice creates a new database user, sdm-ro, on the SQL Server instance. She then clones the existing Datasource entry, and replaces the read-write credentials with the sdm-ro username and password.

This article provides general information about how to add any type of Datasource in the Admin UI. Please also see the specific resource page for configuration properties and information unique to the resource type you are adding.

Prerequisites

It is a relatively simple process to add a Datasource if you have met all of the relevant prerequisites.

You must have a properly configured account (i.e., have a username and password) on the Datasource you intend to add. If you choose to store credentials for the Datasource with StrongDM, you must have those credentials handy. If not, you must have a Secret Store integration set up and be able to enter the location of the secrets required to access the Datasource.

The hostname or endpoint you enter for your Datasource must be accessible by at least one gateway or relay. To verify this, log in to the Gateway or Relay, and use Netcat: nc -zv <YOUR_HOSTNAME> <YOUR_PORT> (in this example, nc -zv testdb-01.fancy.org 3306). If your Gateway server can connect to this hostname, proceed.

How to Add a Datasource

  1. Log in to the Admin UI.
  2. From the left-hand navigation, select Resources and then Datasources.
  3. In the upper right-hand section of the screen, click add datasource to pop a configuration dialog such as the one shown.
    Add Datasource Dialog
    Add Datasource Dialog
  4. Use this dialog to configure how your Gateways or Relays will connect to the Datasource. Set the basic properties, along with any other properties specific to your selected Datasource or to your selected Secret Store type.
  5. Click create.

Basic Datasource properties

Basic Datasource properties are the properties common to most Datasource types. This table provides information on what to enter for each property.

PropertyDescriptionRequirement
DatabaseEnter the name of the database you’ll be connecting to with this Datasource.Required
Datasource TypeSelect the type of Datasource from the list of available types.Required
Display NameEnter a meaningful name for the Datasource. This name displays throughout StrongDM. Do not include special characters like quotes (") or angle brackets (< or >).Required
HostnameEnter the hostname.Required
Override DatabaseBy default, for PostgreSQL and its derivative database management systems (DBMS), such as Greenplum, StrongDM will limit all connections to the configured database. If you would like to change that, uncheck the Override Database option.Optional
PortWhen you select the Datasource type, the Port field is automatically filled with that Resource’s default port for connectivity. If you know that your Resource is set to connect on a different port, enter that port in this field.Required
Bind InterfaceBind Interface is the IP address to which the port override of this resource is bound. The IP address value is automatically generated in the 127.0.0.1 to 127.255.255.254 IP address range after the resource is created. The default is 127.0.0.1. You can modify this value with your preferred bind interface value later under Settings > Port Overrides.Read only
Port OverrideThis field provides an organization-wide standard port for Users to connect to this Datasource via their client. In most organizations, this field automatically populates. You can optionally overwrite it with your own preferred port.Read only
Resource TagsAssign tags to the Datasource by entering key-value pairs in the format <KEY>=<VALUE> (e.g., env=dev).Optional
Secret StoreThis field lets you specify where the credentials for this resource are stored. The default Secret Store type is Strong Vault.Required if Secret Store integration is configured

Secret Store properties

If Secret Store integration is configured for your organization, the dialog displays StrongDM as the default Secret Store type and displays the properties that are associated with it.

Selecting any other Secret Store type causes properties unique to that Secret Store to appear, such as Username (path), Password (path), and so forth. In general, for such path properties, you should enter the path to the secret that the Relay will use to connect to the database (e.g., path/to/credential?key=optionalKeyName). The key argument is optional.

For more detailed information about entering the path to the secrets you’ve stored in a particular secret store, see the Secret Store integration configuration guide for the one you are using.

View Datasource Status

After the Datasource has been created, the Admin UI updates and shows the new Datasource with a yellow icon while it runs initial healthchecks.

Eventually, you should see the icon turn gray and then green, which means it’s ready.

If it does not turn green, check the Diagnostics tab for errors.

To create multiple Datasources, repeat this process for each Datasource.

You can find resources and information about the following StrongDM topics in this section: