Postico 2

• Features
• Pricing
• Documentation
• Support
• Download

Using a Pre-Connect Shell Script

Postico can execute a shell script before connecting to a server. The most common use case is when you use an identity management service like AWS IAM or Microsoft Entra ID. These services typically use temporary passwords or access tokens to connect to the PostgreSQL server. You can use a pre-connect shell script to generate these temporary passwords automatically whenever you want to connect to a server.

NOTE: This feature is in development and only available in development builds.

This feature will not be available in the Mac App Store version of Postico.

Overview

The pre-connect shell script is executed just before Postico connects to the PostgreSQL server. If you are using an SSH tunnel, the script is executed after the SSH tunnel has been established.

The connection parameters configured in Postico are passed to the shell script via the environment. Postico uses the same environment variables as psql: $PGHOST, $PGUSER, $PGPASSWORD, etc.

In the simplest case, the script just prints the password. Postico will then try to use that password to connect to the server.

To override other connection parameters than the password, the script can instead print a JSON document. All PostgreSQL connection parameter key words such as host, user, password, dbname are supported.

Postico automatically detects if the output of the shell script is a valid JSON document.

Examples

Connecting to Amazon RDS with IAM

If you have installed the AWS CLI tools, you can use this pre-connect shell script to automatically fetch an auth token for RDS:

aws rds generate-db-auth-token \
  --profile default \
  --region "${${PGHOST%.rds.amazonaws.com}##*.}" \
  --hostname "$PGHOST" \
  --port "$PGPORT" \
  --username "$PGUSER"

• We assume that you previously stored your credentials with aws configure
• The parameters $PGHOST, $PGPORT and $PGUSER will automatically be replaced with the values defined in the Postico UI.
• The script uses a parameter expansion to extract the AWS region from the host name, assuming that the host name has the form "x.y.region.rds.amazonaws.com".
• The generate-db-auth-token command will print the auth token to standard output, and Postico will use it instead of the password.

Connecting to Amazon Redshift with IAM

If you have installed the AWS CLI tools, you can use this pre-connect shell script to automatically fetch credentials for Amazon Redshift:

aws redshift get-cluster-credentials \
  --profile default \
  --region "${${PGHOST%.redshift.amazonaws.com}##*.}" \
  --db-user "$PGUSER" \
  --cluster-identifier "${PGHOST%%.*}"

• We assume that you previously stored your credentials with aws configure
• The parameter $PGUSER will automatically be replaced with the value defined in the Postico UI.
• The host field in Postico should be the domain of the "endpoint", for example "cluster.xyz.eu-central-1.redshift.amazonaws.com". The script extracts the AWS region and the Redshift cluster identifier from the host field using parameter expansion.
• The get-cluster-credentials command will print a JSON document with the keys DbUser and DbPassword to standard output. Postico will use these when authenticating to the Redshift server.

Connecting to Azure PostgreSQL with Microsoft Entra ID

Use this pre-connect shell script to fetch a temporary password for Azure:

az account get-access-token --resource-type oss-rdbms

• Make sure you have installed the Azure CLI tools
• You must have previously logged into Azure with the command az login in Terminal.
• The Azure PostgreSQL server must be configured to allow connections with Entra ID.
• The host field should be the host name of your server, eg. "example.postgres.database.azure.com".
• The user field should be the Entra ID role you want to connect with, eg. "user_example.com#EXT#@example.onmicrosoft.com".
• The get-access-token command will print a JSON document to standard output. Postico will use the value for accessToken to authenticate.

Overriding PostgreSQL connection parameters

You can also use a pre-connect shell script to override PostgreSQL connection parameters or set connection parameters that Postico does not support natively.

For example, here is a script that will disable TLS certificate verification:

cat <<eof
{
"sslmode":"disable",
}
eof

Supported Connection Parameters

Postico allows overriding the following keys in the JSON document: host, hostaddr, port, dbname, user, password, passfile, require_auth, channel_binding, connect_timeout, client_encoding, options, application_name, fallback_application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, replication, gssencmode, sslmode, requiressl, sslcompression, sslcert, sslkey, sslpassword, sslcertmode, sslcrldir, sslsni, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, krbsrvname, gsslib, gssdelegation, service, target_session_attrs, load_balance_hosts.

For compatibility with the AWS CLI, Postico also accepts DbUser and DbPassword instead of user and password.

For compatibility with Entra ID, Postico also accepts accessToken instead of password.

Debugging and error handling

For security reasons, Postico never shows the output of the shell script. However, if the shell script returns with a non-zero exit code, any messages printed to standard error (stderr) will be displayed. This means that error handling should work out of the box for many commands.

If you would like your script to display a friendly error message, just redirect it to stderr. A simple example would be something like this:

echo "An error occurred" >&2
exit 1

If your script runs successfully, any messages printed to stderr are ignored. Feel free to print detailed debug messages to stderr. They will be shown only if the script finishes with a non-zero exit code.

To see all environment variables available to the script, you can use the command below. But be careful: this will include the value of PGPASSWORD, so we recommend to use this only when debugging particularly thorny issues.

env >&2
exit 1

Selecting an interpreter: Zsh, Bash, Python, Perl, ...

The shell script is executed with your default shell. If you haven't changed it, that is /bin/zsh. The shell is executed with the -l option (login shell), so the environment should be very similar to the environment you have when you enter commands in Terminal.app.

If you would like to execute the script with a different shell, you can include a shebang, for example #!/bin/bash. When the script starts with the characters #!, Postico stores the script in a temporary file and executes it. This allows you to write your pre-connect script in any language you have installed on your computer -- Bash, Python, Ruby, Perl, or even in Swift!

Handling secrets

The pre-connect script is stored unencrypted, so please make sure not to include any secrets such as access keys.

The easiest way to store secrets securely is to use the password field. The value stored in the password field will be made available to the script in the $PGPASSWORD environment variable.

Another secure way to store secrets is to use the macOS keychain. You can use the security program to access the keychain from your script, with the add-generic-password and find-generic-password subcommands. Check the security man page for details.