alt Hacker NewsI'm working on a tool in golang to handle requesting access to private and sensitive databases in Postgres. The goal is to help orgs reduce handing out long-lived postgres creds with broad permissions.
The flow is you declare the databases and tables you want to access and the specific permissions you want, an operator reviews it, if accepted it generates a temporary postgres user with those permissions you need. Also, all the connections to the database are proxied through the app, so the domain name and port are random and short-lived, so you don't expose internal database hosts. As an extra, all SQL statements during the user sessions are logged if you want to see that.
It's available at https://github.com/yungwarlock/pam_postgres
My primary goal of this is to drill myself as a product engineer working on a technical product.
I just put something similar together but then on top of Openbao which generates temporary credentials/roles for Postgres. I created a website where people can request access and a specific group of people can approve the approve. After being approved, the database users can request temporary credentials in OpenBao for a specific number of hours.