Skip to main content
Version: v4.18

Database accounts

To give users access to a repository, you will map SSO users and SSO groups to database accounts that you've registered with Cyral.

A database account is a user account on your repository, DBaaS, or DBMS. When an SSO user attempts to connect to your repository through the Cyral sidecar, Cyral relies on that SSO user's mapped database account to authenticate with the underlying repository, such as a PostgreSQL database.

To register a database account in Cyral, follow the steps below. Later you will map each database account to the SSO users who will use it.

Register a database account

Prerequisite

Each database account must have its credentials stored as a secret in your secrets manager. See the tabs below for help storing secrets.

The credentials secret for a database account must contain:

  • the username — the database user account name as stored in the repository system, like a PostgreSQL username, for example. Don't worry about the SSO user or group names now; you'll map those later in the Cyral UI.
  • the password — the database user's password used for direct authentication to the repository system

Procedure

  1. In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the Access Rules tab.

  2. Click Register Database Account

  3. In the Database Account Username field, enter the name of the database account (for example, a PostgreSQL username) that will be used to connect. Click Next.

  4. Click the button that corresponds to your secrets storage type and click Next. For instructions, see the tab for your sercrets manager below:

If you have the ARN of your database credentials secret, paste it into the ARN field and click Create.

If you need to create a credentials secret, follow the instructions below.

Store the local account credentials as a JSON blob in AWS Secrets Manager. The secret's name must start with the prefix /cyral/dbsecrets/, which will become part of its ARN.

The JSON blob must follow one of the formats shown below. Cyral supports:

  • a single set of credentials (username/password) for one database, or
  • a list of credentials for multiple databases, where each set of credentials is identified for each database

For singular database accounts, store the local account credentials in the JSON format shown below.

{
"username": "someuser",
"password": "somepassword",
"databaseName": "db1"
}

Note that databaseName is only meant to be used when configuring credentials for MongoDB data repositories. This field refers to the authentication database.

For multiple database accounts, store the local account credentials in the following JSON format:

[
{
"username": "someuser",
"password": "somepassword",
"databaseName": "db1"
},
{
"username": "someuser",
"password": "anotherpassword",
"databaseName": "db2"
}
]

See the AWS Secrets Manager tutorial for help storing secrets.

Note: sidecars will require sufficient AWS IAM permissions to access any AWS Secrets Manager database account secrets. For example, if the sidecar is running on an EC2 instance, the instance must have the necessary IAM permissions to access the secret in Secrets Manager. For more information, see the AWS Secrets Manager access control overview..

Next step

Now that you've saved your database account, you can map it to the SSO users who will use it. To do this, make sure your database account name is selected in the Database Accounts list of the Access Rules tab, and click Add Rule. For instructions, see the next section, Access rules for users and groups.