Book a demo

PostgreSQL Connection

Public preview: This feature is available to all accounts. Contact your Immuta representative for details.

The PostgreSQL connection registers data from PostgreSQL in Immuta and enforces subscription policies on that data. Immuta supports the following deployment methods:

  • Amazon Aurora with PostgreSQL

  • Amazon RDS with PostgreSQL

  • Crunchy Data

  • Neon

  • PostgreSQL

The sequence diagram below outlines the events that occur when an Immuta user who is subscribed to a data source queries that data in PostgreSQL.

What does Immuta do in my environment?

Registering a connection

PostgreSQL is configured and data is registered through connections, an Immuta feature that allows you to register your data objects through a single connection to make data registration more scalable for your organization. Instead of registering schema and databases individually, you can register them all at once and allow Immuta to monitor your data platform for changes so that data sources are added and removed automatically to reflect the state of data in your data platform.

During connection registration, you provide Immuta credentials with the privileges outlined on the Register a PostgreSQL connection page. When the connection is registered, Immuta ingests and stores connection metadata in the Immuta metadata database.

In the example below, the Immuta application administrator connects the database that contains marketing-data , research-data , and cs-data tables. Immuta these tables as data sources and stores the table metadata in the Immuta metadata database.

Immuta presents a hierarchical view of your data that reflects the hierarchy of objects in PostgreSQL after registration is complete:

  • Host

  • Database

  • Schema

  • Table

Beyond making the registration of your data more intuitive, connections provides more control. Instead of performing operations on individual schemas or tables, you can perform operations (such as object sync) at the connection level.

See the Connections reference guide for details about connections and how to manage them. To configure your PostgreSQL connection, see the Register a PostgreSQL connection guide.

Applying policies

Immuta enforces read and write subscription policies on PostgreSQL tables by issuing SQL statements in PostgreSQL that grant and revoke access to tables according to the policy.

When a user is subscribed to a table registered in Immuta,

  1. Immuta creates a role for that user in PostgreSQL, if one doesn't already exist.

  2. PostgreSQL stores that role in its internal system catalog.

  3. Immuta issues grants to that user's role in PostgreSQL to enforce policy. The Protecting data page provides an example of this policy enforcement.

See the Subscription policy access types page for details about the PostgreSQL privileges granted to users when they are subscribed to a data source protected by a subscription policy.

PostgreSQL privileges

The privileges that the PostgreSQL connection requires align to the least privilege security principle. The table below describes each privilege required by the user. For a list of privileges required for the setup user registering the connection, see the Register a PostgreSQL connection guide.

PostgreSQL privilege
User requiring the privilege
Explanation

CONNECT on the database Immuta will protect

Immuta system account

This privilege allows Immuta to connect to the PostgreSQL database that contains the tables Immuta will protect.

USAGE on the schema Immuta will protect

Immuta system account

This privilege allows the Immuta system account to access schemas that contain tables it will protect.

CREATEROLE

Immuta system account

Because PostgreSQL privileges are granted to roles, this privilege is required so that Immuta can create PostgreSQL roles and manage role membership to enforce access controls.

The following privileges with GRANT OPTION on tables registered in Immuta:

  • SELECT

  • INSERT

  • UPDATE

  • TRUNCATE

  • DELETE

  • ALTER TABLE

Immuta system account

These privileges allow Immuta to apply read and write subscription policies on tables registered in Immuta. The ALTER TABLE privilege allows Immuta to enforce row-level policies, which will be available in a subsequent release.

Maintaining state with PostgreSQL

The following user actions spur various processes in the PostgreSQL connection so that Immuta data remains synchronous with data in PostgreSQL:

  • Data source created: Immuta registers data source metadata and stores that metadata in the Immuta metadata database.

  • Data source deleted: Immuta deletes the data source metadata from the metadata database and removes subscription policies from that table.

  • User account is mapped to Immuta: When a user account is mapped to Immuta, their metadata is stored in the metadata database.

  • User subscribed to a data source: When a user is added to a data source by a data owner or through a subscription policy, Immuta creates a role for that user (if a role for them does not already exist) and grants PostgreSQL privileges to their role.

  • Automatic subscription policy applied to or updated on a data source: Immuta calculates the users and data sources affected by the policy change and grants or revokes users' privileges on the PostgreSQL table. See the Protecting data page for details about this process.

  • Subscription policy deleted: Immuta revokes privileges from the affected roles.

  • User removed from a data source: Immuta revokes privileges from the user's role.

Supported object types

The supported object types for PostgreSQL are listed below.

  • Tables

When applying read and write access policies to these data sources, the privileges granted by Immuta may vary depending on the object type. See an outline of privileges granted by Immuta on the Subscription policy access types page.

Supported policies

The PostgreSQL connection allows users to author subscription policies to enforce access controls. Data policies are unsupported.

See the applying policies section for details about policy enforcement.

Security and compliance

Authentication methods

The PostgreSQL connection supports the following authentication methods to register a connection:

  • Amazon Aurora and Amazon RDS deployments

    • Access using AWS IAM role (recommended): Immuta will assume this IAM role from Immuta's AWS account when interacting with the AWS API to perform any operations in your AWS account. This option allows you to provide Immuta with an IAM role from your AWS account that is granted a trust relationship with Immuta's IAM role.

    • Access using access key and secret access key: These credentials are used temporarily by Immuta to register the connection. The access key ID and secret access key provided must be for an AWS account with the permissions listed in the Register a PostgreSQL connection guide.

  • Neon and PostgreSQL deployments

    • Username and password: These credentials are used temporarily by Immuta to register the connection. The credentials provided must be for an account with the permissions listed in the Register a PostgreSQL connection guide.

User registration and ID mapping

The built-in Immuta IAM can be used as a complete solution for authentication and user entitlement. However, you can connect your existing identity management provider to Immuta to use that system for authentication and user entitlement instead. Each of the supported IAM protocols includes a set of configuration options that enable Immuta to communicate with the IAM system and map the users, permissions, groups, and attributes into Immuta.

For policies to impact the right users, the user account in Immuta must be mapped to the user account in PostgreSQL or AWS. You can ensure these accounts are mapped correctly in the following ways:

  • Automatically: If usernames in PostgreSQL or AWS align with usernames in the external IAM and those accounts align with an IAM attribute, you can enter that IAM attribute on the app settings page to automatically map user IDs in Immuta to PostgreSQL.

  • Manually: You can manually map user IDs for individual users.

For guidance on connecting your IAM to Immuta, see the how-to guide for your protocol.

User provisioning for Amazon Aurora or Amazon RDS with PostgreSQL

Access can be managed in AWS using IAM users, roles, or Identity Center (IDC). Immuta supports all three methods for user provisioning in the Amazon Aurora or Amazon RDS with PostgreSQL deployments.

However, if you manage access in AWS through IAM roles instead of users, user provisioning in Immuta must be done using IAM role principals. This means that if users share IAM roles, you could end up in a situation where you over-provision access to everyone in the IAM role.

See the guidelines below for the best practices to avoid this behavior if you currently use IAM roles to manage access.

  1. Enable AWS IAM Identity Center (IDC) (recommended): IDC is the best approach for user provisioning because it treats users as users, not users as roles. Consequently, access controls are enforced for the querying user, nothing more. This approach eliminates over-provisioning and permits granular access control. Furthermore, IDC uses trusted identity propagation, meaning AWS propagates a user's identity wherever that user may operate within the AWS ecosystem. As a result, a user's identity always remains known and consistent as they navigate across AWS services, which is a key requirement for organizations to properly govern that user. Enabling IDC does not impact any existing access controls; it is additive. Immuta will manage the GRANTs for you using IDC if it is enabled and configured in Immuta. See the map users section for instructions on mapping users from AWS IDC to user accounts in Immuta.

  2. Create an IAM role per user: If you do not have IDC enabled, create an IAM role per user that is unique to that user and assign that IAM role to each corresponding user in Immuta. Ensure that the IAM role cannot be shared with other users. This approach can be a challenge because there is an IAM role max limit of 5,000 per AWS account.

  3. Request on behalf of IAM roles (not recommended): Create users in Immuta that map to each of your existing IAM roles. Then, when users request access to data, they request on behalf of the IAM role user rather than themselves. This approach is not recommended because everyone in that role will gain access to data when granted access through a policy, and adding future users to that role will also grant access. Furthermore, it requires policy authors and approvers to understand what role should have access to what data.

Mapping IAM principals in Immuta

Names are case-sensitive

The IAM role name and IAM user name are case-sensitive. See the AWS documentation for details.

Immuta supports mapping an Immuta user to AWS in one of the following ways:

  • AWS IAM Identity Center user IDs

  • IAM role principals: Only a single Immuta user can be mapped to an IAM role. This restriction prohibits enforcing policies on AWS users who could assume that role. Therefore, if using role principals, create a new user in Immuta that represents the role so that the role then has the permissions applied specifically to it.

  • IAM user principals

See the map users section for instructions on mapping principals to user accounts in Immuta.

Limitations and known issues

The following Immuta features are unsupported:

  • Identification

  • Tag ingestion

  • Query audit

PreviousReference GuidesNextSecurity and Compliance

Last updated

Was this helpful?