Back to Guides
Intermediate
60 minutes

Database Access Setup Guide

Set up secure access to PostgreSQL, MySQL, MongoDB, and more. Replace static database credentials with short-lived certificates and audit all database queries.

Overview

TigerAccess provides protocol-aware database proxies that eliminate the need for static database credentials:

  • Certificate Authentication: Users authenticate with short-lived certificates
  • Automatic User Provisioning: Database users created just-in-time
  • Query Auditing: All queries logged for compliance and security
  • RBAC Integration: Dynamic access based on user roles

Prerequisites

  • TigerAccess auth and proxy services running
  • Admin access to your database servers
  • Network connectivity from TigerAccess proxy to databases
  • Database admin credentials for initial setup

Supported Databases

TigerAccess supports 15+ database protocols:

SQL Databases

  • • PostgreSQL
  • • MySQL / MariaDB
  • • Microsoft SQL Server
  • • Oracle Database
  • • CockroachDB
  • • Snowflake

NoSQL Databases

  • • MongoDB
  • • Redis
  • • Elasticsearch
  • • Cassandra
  • • DynamoDB
  • • ClickHouse

PostgreSQL Setup

Configure PostgreSQL Server

Enable SSL and create an admin user for TigerAccess:

-- Connect to PostgreSQL
psql -U postgres

-- Create TigerAccess admin user
CREATE USER tigeraccess_admin WITH PASSWORD 'secure_password';
GRANT CREATE ON DATABASE postgres TO tigeraccess_admin;
GRANT pg_read_all_data TO tigeraccess_admin;
GRANT pg_write_all_data TO tigeraccess_admin;

-- Configure SSL in postgresql.conf
ssl = on
ssl_cert_file = '/etc/postgresql/server.crt'
ssl_key_file = '/etc/postgresql/server.key'

-- Update pg_hba.conf to require SSL
hostssl all all 0.0.0.0/0 md5

Add Database to TigerAccess

tac db add postgres-prod \
  --protocol=postgres \
  --uri=postgres://tigeraccess_admin:secure_password@db.example.com:5432/postgres \
  --labels=env=production,team=platform

Configure Auto User Provisioning

# Create database configuration
tac db configure postgres-prod --spec - <<EOF
kind: database
version: v3
metadata:
  name: postgres-prod
spec:
  protocol: postgres
  uri: postgres://db.example.com:5432/postgres
  admin_user:
    name: tigeraccess_admin
  auto_user_provisioning:
    enabled: true
    # Template for created database users
    db_user_template: "tp-{{.User.Name}}"
    # Grant default privileges
    db_roles: ["readonly", "readwrite"]
  tls:
    mode: verify-full
EOF

Connect to Database

# Login first
tac login --proxy=proxy.example.com:3023 --user=alice

# Connect to database
tac db connect postgres-prod

# Or use local proxy
tac db proxy postgres-prod --port=15432
# Then connect with psql: psql -h localhost -p 15432

MySQL/MariaDB Setup

Configure MySQL Server

-- Connect to MySQL
mysql -u root -p

-- Create TigerAccess admin user
CREATE USER 'tigeraccess_admin'@'%' IDENTIFIED BY 'secure_password';
GRANT CREATE USER ON *.* TO 'tigeraccess_admin'@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO 'tigeraccess_admin'@'%';
GRANT GRANT OPTION ON *.* TO 'tigeraccess_admin'@'%';

-- Enable SSL (in my.cnf)
[mysqld]
ssl-ca=/etc/mysql/ca.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
require_secure_transport=ON

Add MySQL Database

tac db add mysql-prod \
  --protocol=mysql \
  --uri=mysql://tigeraccess_admin:secure_password@mysql.example.com:3306/ \
  --labels=env=production,type=mysql

Connect to MySQL

tac db connect mysql-prod

# Or use local proxy
tac db proxy mysql-prod --port=13306
# Then: mysql -h 127.0.0.1 -P 13306

MongoDB Setup

Configure MongoDB

// Connect to MongoDB
mongosh

// Create admin user
use admin
db.createUser({
  user: "tigeraccess_admin",
  pwd: "secure_password",
  roles: [
    { role: "userAdminAnyDatabase", db: "admin" },
    { role: "readWriteAnyDatabase", db: "admin" }
  ]
})

// Enable authentication in mongod.conf
security:
  authorization: enabled
net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/mongodb/mongodb.pem

Add MongoDB to TigerAccess

tac db add mongo-prod \
  --protocol=mongodb \
  --uri=mongodb://tigeraccess_admin:secure_password@mongo.example.com:27017/?authSource=admin \
  --labels=env=production,type=nosql

Connect to MongoDB

tac db connect mongo-prod

# Or use connection string
tac db config mongo-prod
# Copy the output connection string to use with mongosh or drivers

Redis Setup

Configure Redis Server

# redis.conf
requirepass your_secure_password
# Enable TLS
tls-port 6380
port 0
tls-cert-file /etc/redis/redis.crt
tls-key-file /etc/redis/redis.key
tls-ca-cert-file /etc/redis/ca.crt

Add Redis to TigerAccess

tac db add redis-cache \
  --protocol=redis \
  --uri=rediss://:your_secure_password@redis.example.com:6380 \
  --labels=env=production,type=cache

Connect to Redis

# Start local proxy
tac db proxy redis-cache --port=16380

# Connect with redis-cli
redis-cli -h localhost -p 16380

User Access Configuration

Create Database Access Role

tac roles create db-developer --spec - <<EOF
kind: role
version: v7
metadata:
  name: db-developer
spec:
  allow:
    db_labels:
      env: ["development", "staging"]
    db_names: ["*"]
    db_users: ["readonly", "readwrite"]
  deny:
    db_labels:
      env: ["production"]
EOF

# Assign to user
tac users update alice --add-role=db-developer

Production Access with MFA

tac roles create db-admin --spec - <<EOF
kind: role
version: v7
metadata:
  name: db-admin
spec:
  allow:
    db_labels:
      env: ["production"]
    db_names: ["*"]
    db_users: ["admin"]
  options:
    # Require MFA for production databases
    require_session_mfa: true
    # Max session duration
    max_session_ttl: 4h
EOF

Advanced Features

Query Auditing

Enable detailed query logging:

# In config.yaml
proxy:
  database:
    # Audit all queries
    audit:
      enabled: true
      # Log query details
      log_queries: true
      # Query patterns to alert on
      dangerous_patterns:
        - "DROP TABLE"
        - "TRUNCATE"
        - "DELETE.*WHERE.*1=1"

Database Discovery

# Auto-discover databases in AWS
tac discovery start aws-rds \
  --type=rds \
  --regions=us-east-1,us-west-2 \
  --tags=Environment=production

Connection Pooling

# Configure connection pooling
proxy:
  database:
    pool:
      max_connections: 100
      max_idle: 10
      max_lifetime: 1h

Read Replicas

# Add database with read replicas
tac db add postgres-prod \
  --uri=postgres://primary.example.com:5432/db \
  --read-replica=postgres://replica1.example.com:5432/db \
  --read-replica=postgres://replica2.example.com:5432/db

Troubleshooting

Connection Refused

Check network and firewall rules:

# Test database connectivity from proxy
nc -zv db.example.com 5432

# Check TigerAccess logs
journalctl -u tigeraccess -f

Authentication Failed

Verify admin credentials and user permissions:

# Test admin credentials
psql -h db.example.com -U tigeraccess_admin

# Check user's database access
tac users show alice

SSL/TLS Issues

Verify SSL configuration:

# Test SSL connection
openssl s_client -connect db.example.com:5432 -starttls postgres

Related Guides

Beginner

Quick Start Guide

Intermediate

SSH Access Setup Guide

Intermediate

Session Recording Setup

Ready to Secure Your Infrastructure?

Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.

Start Free TrialContact Sales

No credit card required • 14-day free trial • Enterprise support available