Datasources
Last modified on July 30, 2025
A datasource is a combination of a specific database and the credentials to access it.
When a role is assigned a datasource, that entity inherits the permissions associated with the credential in that datasource.
In cases where multiple credentials are desirable for a given host address, the datasource can be cloned, with an alternate credential provided. This can allow different StrongDM users to connect to the same resource, but with different sets of credentials that allow them differing levels of access.
Example: Alice wishes to grant read-only access to a Microsoft SQL Server instance previously set up in StrongDM with read-write access. Alice creates a new database user, sdm-ro, on the SQL Server instance. She then clones the existing datasource entry, and replaces the read-write credentials with the sdm-ro username and password.
This article provides general information about how to add any type of datasource in the Admin UI. Please also see the specific resource page for configuration properties and information unique to the resource type you are adding.
Prerequisites
It is a relatively simple process to add a datasource if you have met all of the relevant prerequisites.
You must have a properly configured account (that is, have a username and password) on the datasource you intend to add. If you choose to store credentials for the datasource with StrongDM, you must have those credentials handy. If not, you must have a Secret Store integration set up and be able to enter the location of the secrets required to access the datasource.
The hostname or endpoint you enter for your datasource must be accessible by at least one gateway or relay. To verify this, log in to the Gateway or Relay, and use Netcat: nc -zv <YOUR_HOSTNAME> <YOUR_PORT> (in this example, nc -zv testdb-01.fancy.org 3306). If your Gateway server can connect to this hostname, proceed.
How to Add a Datasource
- Log in to the StrongDM Admin UI.
- Go to Resources > Datasources.
- Click Add datasource.
- Select the Datasource Type and set other configuration properties for your new database resource.
- Complete all required fields.
- Click Create to save the resource.
- Click the resource name to view status, diagnostic information, and setting details.
Basic datasource properties
Basic datasource properties are the properties common to most datasource types. This table provides information about such properties.
| Property | Description | Requirement |
|---|---|---|
| Database | Required | Database name you would like to connect to using this datasource |
| Datasource Type | Required | Select the type of datasource from the list of available types |
| Display Name | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) |
| Proxy Cluster | Required | Defaults to “None (use gateways)”; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource |
| Hostname | Required | Hostname for your database resource; must be accessible to a gateway or relay |
| Restrict Database | Optional | When selected, limits all connections to the configured database |
| Port | Required | Port to use when connecting to your database |
| Connectivity Mode | Required | Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode is enabled for your organization |
| IP Address | Optional | If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization |
| Port Override | Optional | If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings |
| DNS | Optional | If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource’s human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432) |
| Resource Tags | Optional | Datasource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev) |
| Secret Store | Optional | Credential store location; defaults to Strong Vault; defaults to Strong Vault; learn more about Secret Store options |
Secret Store options
By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.
Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.
Resource status
After a resource is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the Health icon indicates a positive, green status.
When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.
You can find resources and information about the following StrongDM topics in this section:
- Aerospike
- Amazon Elasticsearch
- Amazon Elasticsearch (IAM)
- Amazon MQ (AMQP 0.9.1)
- Amazon MQ AMQP
- Amazon Neptune
- Athena
- Athena (IAM)
- Aurora MySQL
- Aurora MySQL (IAM)
- Aurora PostgreSQL
- Aurora PostgreSQL (IAM)
- Azure MySQL
- Azure MySQL (Managed Identity)
- Azure PostgreSQL
- Azure PostgreSQL (Managed Identity)
- BigQuery
- Cassandra
- Citus
- ClickHouse
- Clustrix
- CockroachDB
- Couchbase
- Db2 LUW
- Db2i
- DocumentDB (Replica Set)
- DocumentDB (single host IAM)
- DocumentDB (Single Host)
- Druid
- DynamoDB
- DynamoDB (IAM)
- ElastiCache Redis
- Elasticsearch
- Greenplum
- Maria
- Memcached
- MemSQL
- Microsoft SQL Server
- Microsoft SQL Server (Azure AD)
- Microsoft SQL Server (Kerberos)
- MongoDB (Replica Set)
- MongoDB (Sharded Cluster)
- MongoDB (Single Host)
- MySQL
- Oracle
- PostgreSQL
- Presto
- RabbitMQ
- RDS PostgreSQL (IAM)
- Redis
- Redis Cluster
- Redshift
- Redshift (IAM)
- Redshift Serverless (IAM)
- SingleStore
- Snowflake
- Sybase ASE
- Sybase IQ
- Teradata
- Trino
- Vertica