Postgres secret engine: is it possible to disable SSL?

I’m trying to use vault to manage access to a GCP Cloud SQL instance. Cloud SQL uses a proxy to expose the DB to clients. It manages firewall rules and SSL on the db instance. But it does not provide SSL for the local connection.

When I try to configure vault to talk to the DB through the proxy:

error verifying connection: pq: SSL is not enabled on the server

I don’t see any options on the postgres config page or HTTP API page to disable SSL validation. Is that possible?

Ross

Vault is using the pq library (https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters). When you configure the connection_url you can disable sslmode.

Note: The PostgreSQL storage backend plugin will attempt to use SSL when connecting to the database. If SSL is not enabled the connection_url will need to be configured to disable SSL. See the documentation below to disable SSL. (https://www.vaultproject.io/docs/configuration/storage/postgresql/)

connection_url = "postgres://user:pass@localhost:5432/database?sslmode=disable"

It’s written in the docs. :slightly_smiling_face:

Thanks for the pointer. I expect that’ll work with the secrets engine as well. I’ll confirm on Monday and open an PR on the docs assuming it goes well.