Connecting to PostgreSQL with Kerberos authentication
You can connect to PostgreSQL with Kerberos authentication with the pgAdmin interface or with a command-line interface such as psql. For more information about connecting, see Connecting to a DB instance running the PostgreSQL database engine . For information about obtaining the endpoint, port number, and other details needed for connection, see Connect to a PostgreSQL DB instance.
Note
GSSAPI authentication and encryption in PostgreSQL are implemented by the Kerberos
library libkrb5.so. Features such as postgres_fdw and
dblink also rely on this same library for outbound connections with
Kerberos authentication or encryption.
To use pgAdmin to connect to PostgreSQL with Kerberos authentication, take the following steps:
-
Launch the pgAdmin application on your client computer.
-
On the Dashboard tab, choose Add New Server.
-
In the Create - Server dialog box, enter a name on the General tab to identify the server in pgAdmin.
-
On the Connection tab, enter the following information from your RDS for PostgreSQL database.
-
For Host, enter the endpoint for the RDS for PostgreSQL DB instance. An endpoint looks similar to the following:
RDS-DB-instance.111122223333.aws-region.rds.amazonaws.comTo connect to an on-premises Microsoft Active Directory from a Windows client, you use the domain name of the Amazon Managed Active Directory instead of
rds.amazonaws.comin the host endpoint. For example, suppose that the domain name for the Amazon Managed Active Directory iscorp.example.com. Then for Host, the endpoint would be specified as follows:RDS-DB-instance.111122223333.aws-region.corp.example.com -
For Port, enter the assigned port.
-
For Maintenance database, enter the name of the initial database to which the client will connect.
-
For Username, enter the user name that you entered for Kerberos authentication in Step 7: Create PostgreSQL users for your Kerberos principals .
-
-
Choose Save.
To use psql to connect to PostgreSQL with Kerberos authentication, take the following steps:
-
At a command prompt, run the following command.
kinitusernameReplace
username -
If the PostgreSQL DB instance is using a publicly accessible VPC, put IP address for your DB instance endpoint in your
/etc/hostsfile on the EC2 client. For example, the following commands obtain the IP address and then put it in the/etc/hostsfile.% dig +shortPostgreSQL-endpoint.Amazon-Region.rds.amazonaws.com ;; Truncated, retrying in TCP mode. ec2-34-210-197-118.Amazon-Region.compute.amazonaws.com. 34.210.197.118 % echo " 34.210.197.118PostgreSQL-endpoint.Amazon-Region.rds.amazonaws.com" >> /etc/hostsIf you're using an on-premises Microsoft Active Directory from a Windows client, then you need to connect using a specialized endpoint. Instead of using the Amazon domain
rds.amazonaws.comin the host endpoint, use the domain name of the Amazon Managed Active Directory.For example, suppose that the domain name for your Amazon Managed Active Directory is
corp.example.com. Then use the formatPostgreSQL-endpoint.Amazon-Region.corp.example.com/etc/hostsfile.% echo " 34.210.197.118PostgreSQL-endpoint.Amazon-Region.corp.example.com" >> /etc/hosts -
Use the following psql command to log in to a PostgreSQL DB instance that is integrated with Active Directory.
psql -Uusername@CORP.EXAMPLE.COM-p 5432 -hPostgreSQL-endpoint.Amazon-Region.rds.amazonaws.com postgresTo log in to the PostgreSQL DB cluster from a Windows client using an on-premises Active Directory, use the following psql command with the domain name from the previous step (
corp.example.com):psql -Uusername@CORP.EXAMPLE.COM-p 5432 -hPostgreSQL-endpoint.Amazon-Region.corp.example.com postgres