Last modified on October 4, 2023
A Datasource is a combination of a specific database and the credentials to access it.
When a Role is assigned a Datasource, that entity inherits the permissions associated with the credential in that Datasource.
In cases where multiple credentials are desirable for a given host address, the Datasource can be cloned, with an alternate credential provided. This can allow different StrongDM users to connect to the same resource, but with different sets of credentials that allow them differing levels of access.
Example: Alice wishes to grant read-only access to a Microsoft SQL Server instance previously set up in StrongDM with read-write access. Alice creates a new database user,
sdm-ro, on the SQL Server instance. She then clones the existing Datasource entry, and replaces the read-write credentials with the
sdm-ro username and password.
This article provides general information about how to add any type of Datasource in the Admin UI. Please also see the specific resource page for configuration properties and information unique to the resource type you are adding.
It is a relatively simple process to add a Datasource if you have met all of the relevant prerequisites.
You must have a properly configured account (i.e., have a username and password) on the Datasource you intend to add. If you choose to store credentials for the Datasource with StrongDM, you must have those credentials handy. If not, you must have a Secret Store integration set up and be able to enter the location of the secrets required to access the Datasource.
The hostname or endpoint you enter for your Datasource must be accessible by at least one gateway or relay. To verify this, log in to the Gateway or Relay, and use Netcat:
nc -zv <YOUR_HOSTNAME> <YOUR_PORT> (in this example,
nc -zv testdb-01.fancy.org 3306). If your Gateway server can connect to this hostname, proceed.
How to Add a Datasource
- Log in to the Admin UI.
- From the left-hand navigation, select Infrastructure and then Datasources.
- In the upper right-hand section of the screen, click add datasource to pop a configuration dialog such as the one shown.
- Use this dialog to configure how your Gateways or Relays will connect to the Datasource. Set the basic properties, along with any other properties specific to your selected Datasource or to your selected Secret Store type.
- Click create.
Basic Datasource properties
Basic Datasource properties are the properties common to most Datasource types. This table provides information on what to enter for each property.
|Database||Enter the name of the database you’ll be connecting to with this Datasource.||Required|
|Datasource Type||Select the type of Datasource from the list of available types.||Required|
|Display Name||Enter a meaningful name for the Datasource. This name displays throughout StrongDM. Do not include special characters like quotes (") or angle brackets (< or >).||Required|
|Hostname||Enter the hostname.||Required|
|Override Database||By default, for PostgreSQL and its derivative database management systems (DBMS), such as Greenplum, StrongDM will limit all connections to the configured database. If you would like to change that, uncheck the Override Database option.||Optional|
|Port||When you select the Datasource type, the Port field is automatically filled with that Resource’s default port for connectivity. If you know that your Resource is set to connect on a different port, enter that port in this field.||Required|
|Bind Interface||Bind Interface is the IP address to which the port override of this resource is bound. The IP address value is automatically generated in the ||Read only|
|Port Override||This field provides an organization-wide standard port for Users to connect to this Datasource via their client. In most organizations, this field automatically populates. You can optionally overwrite it with your own preferred port.||Read only|
|Resource Tags||Assign tags to the Datasource by entering key-value pairs in the format ||Optional|
|Secret Store||This field lets you specify where the credentials for this resource are stored. The default Secret Store type is Strong Vault.||Required if Secret Store integration is configured|
Secret Store properties
If Secret Store integration is configured for your organization, the dialog displays StrongDM as the default Secret Store type and displays the properties that are associated with it.
Selecting any other Secret Store type causes properties unique to that Secret Store to appear, such as Username (path), Password (path), and so forth. In general, for such path properties, you should enter the path to the secret that the Relay will use to connect to the database (e.g.,
path/to/credential?key=optionalKeyName). The key argument is optional.
For more detailed information about entering the path to the secrets you’ve stored in a particular secret store, see the Secret Store integration configuration guide for the one you are using.
View Datasource Status
After the Datasource has been created, the Admin UI updates and shows the new Datasource with a yellow icon while it runs initial healthchecks.
Eventually, you should see the icon turn gray and then green, which means it’s ready.
If it does not turn green, check the Diagnostics tab for errors.
To create multiple Datasources, repeat this process for each Datasource.
You can find resources and information about the following StrongDM topics in this section:
- Amazon DocumentDB
- Amazon Elasticsearch
- Amazon MQ
- Amazon Neptune
- Aurora MySQL
- Aurora PostgreSQL
- Aurora PostgreSQL (IAM)
- Azure MySQL
- Azure PostgreSQL
- Azure PostgreSQL (Managed Identity)
- Db2 LUW
- ElastiCache Redis
- Microsoft SQL Server
- Microsoft SQL Server (Azure AD)
- Microsoft SQL Server (Kerberos)
- MongoDB (Replica Set)
- MongoDB (Single Host)
- RDS PostgreSQL (IAM)
- Sybase ASE
- Sybase IQ