PostgreSQL integration
PostgreSQL is an open-source object-relational database management system.
Windmill provides a framework to support PostgreSQL databases, either with native SQL scripts or through TypeScript for raw queries.
Please refer to the SQL Getting started section.
IAM authentication for AWS RDS and Aurora
This feature is available on Windmill Enterprise Edition only.
Instead of using static passwords, you can authenticate to AWS RDS or Aurora PostgreSQL databases using IAM database authentication. Windmill workers generate short-lived authentication tokens automatically, so no database password needs to be stored in the resource.
This works with any of the standard AWS credential methods:
- IRSA (IAM Roles for Service Accounts)
- EKS Pod Identity
- EC2 Instance Profiles
Setup
-
Enable IAM authentication on your RDS instance. In the AWS console, go to your RDS instance settings and enable IAM database authentication.
-
Create a database user with the
rds_iamrole:
CREATE USER myuser WITH LOGIN;
GRANT rds_iam TO myuser;
- Grant IAM permissions to your worker. The IAM principal attached to your Windmill worker (via IRSA, Pod Identity, or Instance Profile) needs the
rds-db:connectaction. Example IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:<region>:<account-id>:dbuser:<dbi-resource-id>/<db-user-name>"
}
]
}
- Create a PostgreSQL resource with IAM auth enabled. Set
use_iam_authtotrueand fill inhost,user, anddbname. Thepasswordfield is ignored when IAM auth is enabled.
{
"host": "mydb.cluster-abc123.us-east-1.rds.amazonaws.com",
"port": 5432,
"user": "myuser",
"dbname": "mydb",
"sslmode": "require",
"use_iam_auth": true,
"region": "us-east-1"
}
The region field is optional if the AWS_REGION environment variable is set on the worker. SSL is enforced automatically for IAM connections.