Skip to main content

Linking PostgreSQL as a Source

This guide walks through connecting a PostgreSQL database to Actioneer. The setup creates a dedicated database user with SELECT-only permissions on the schemas you specify.
  
  Prerequisites  PostgreSQL instance (self-hosted, RDS, Cloud SQL, or any managed provider), Actioneer account
  Access granted  SELECT queries on specified schemas
  Estimated time  ~15 minutes
  Actioneer IP  35.244.14.238
Actioneer cannot insert, update, delete, or modify any data, tables, or database settings.
1

Locate your PostgreSQL connection details

Three values are needed: the host address, port, and database name.AWS RDS / Aurora: Open your RDS instance → Connectivity & security tab. The Endpoint is the host. Port is shown next to it (default 5432). The database name is on the Configuration tab.Google Cloud SQL: Open your Cloud SQL instance → Overview tab. The Public IP address is the host. Port defaults to 5432. The database name is under Databases in the left sidebar.Supabase: Go to Settings → Database. The host, port, and database name are listed under Connection parameters.Self-hosted: Use the hostname or IP address of your PostgreSQL server. The default port is 5432. List databases with \l in psql.
  Value  Location  Example
  Host  Provider console or server config  my-db.abc123.us-east-1.rds.amazonaws.com
  Port  Provider console or server config  5432
  Database Name  Provider console or \l in psql  analytics
2

Create a read-only database user

Connect to your PostgreSQL instance using a SQL client (psql, pgAdmin, or your provider’s query editor) and run the following. Replace your_schema with the schema Actioneer should query.
-- Create a dedicated read-only user
CREATE USER actioneer_readonly WITH PASSWORD 'Choose-A-Strong-Password-Here';

-- Grant schema access
GRANT USAGE ON SCHEMA your_schema TO actioneer_readonly;

-- Grant read access to all existing tables
GRANT SELECT ON ALL TABLES IN SCHEMA your_schema TO actioneer_readonly;

-- Ensure future tables are also readable
ALTER DEFAULT PRIVILEGES IN SCHEMA your_schema
  GRANT SELECT ON TABLES TO actioneer_readonly;
Replace your_schema with your actual schema name (e.g., public or reporting). The Database Name is the top-level database; your_schema is a namespace within it. Run the GRANT statements for each schema Actioneer should access.
Save the password you set for actioneer_readonly. You will enter it in Actioneer in the next step. Store it in a password manager.
3

Allow Actioneer's IP address

If your PostgreSQL instance restricts inbound connections (most managed providers do by default), add Actioneer’s IP so it can reach your database.AWS RDS / Aurora
  1. In the AWS Console, open EC2 → Security Groups.
  2. Find the security group attached to your RDS instance (visible on the instance’s Connectivity & security tab).
  3. Click the security group → Inbound rules → Edit inbound rules.
  4. Add a rule: Type = PostgreSQL, Port = 5432, Source = Custom35.244.14.238/32.
  5. Click Save rules.
Google Cloud SQL
  1. Go to your Cloud SQL instance → Connections → Networking → Authorized networks.
  2. Click Add a network. Name it Actioneer and enter 35.244.14.238/32.
  3. Click Save.
Self-hosted
  1. Add the following line to your pg_hba.conf:
host all actioneer_readonly 35.244.14.238/32 scram-sha-256
  1. Ensure your firewall allows inbound TCP on port 5432 from 35.244.14.238.
  2. Reload the configuration: SELECT pg_reload_conf();
If your instance is in a private network with no public endpoint, skip this step and use the SSH Tunnel option in Actioneer instead (see the connection form in the next step).
4

Connect PostgreSQL in Actioneer

  1. In Actioneer, click Data in the left sidebar.
  2. Select PostgreSQL from the list of data sources.
  3. When prompted, select Direct Connection.
  4. Complete the connection form:
  Field  Value
  Connection Name  A descriptive label, e.g. Production PostgreSQL
  Host  From Step 1 (e.g., my-db.abc123.us-east-1.rds.amazonaws.com)
  Port  From Step 1 (e.g., 5432)
  Database Name  From Step 1 (e.g., analytics)
  Username  actioneer_readonly
  Password  The password set in Step 2
  SSH Tunnel  Optional — enable to connect through a bastion host if your PostgreSQL instance is in a private network with no public endpoint
  1. Click Connect.

Common questions

No. The actioneer_readonly user holds only SELECT and USAGE grants. It cannot insert, update, delete, or alter any objects in your database.
Enable SSH Tunnel if your PostgreSQL instance is in a private network (e.g., an RDS instance in a private subnet with no public endpoint). The tunnel is a network routing mechanism — it routes traffic through a bastion host that has access to your private instance. It does not replace or provide encryption. TLS encryption is applied to all Actioneer connections independently, regardless of whether SSH Tunnel is enabled.
All credentials are encrypted at rest with AES-256 and encrypted in transit with TLS 1.3. They are never stored in plain text or logged. Actioneer is SOC 2 Type II certified, ISO 27001 certified (audited by Schellman), and GDPR compliant.

Need a hand?

Stuck on a step or running into an error? Reach out at connect@actioneer.com.