Connect a PostgreSQL database
Learn how to connect your PostgreSQL database to Retool.
You can use the PostgreSQL integration to create a resource and make it available in Retool. Once complete, your users can write queries that interact with PostgreSQL data.
Requirements
The PostgreSQL integration requirements depend on whether you have a cloud-hosted or self-hosted Retool organization. You may also need to make PostgreSQL configuration changes before creating the resource.
- Cloud-hosted organizations
- Self-hosted organizations
Sufficient user permissions to create resources
All users for Retool organizations on Free or Team plans have global Edit permissions and can add, edit, and remove resources. If your organization manages user permissions for resources, you must be a member of a group with Edit all permissions.
Allow Retool to access the data source
If the data source is behind a firewall or restricts access based on IP address, then you must ensure that your Retool organization can access it. If necessary, configure your data source to allow access from Retool's IP addresses.
3.77.79.248/30
35.90.103.132/30
44.208.168.68/30
3.77.79.249
3.77.79.250
35.90.103.132
35.90.103.133
35.90.103.134
35.90.103.135
44.208.168.68
44.208.168.69
44.208.168.70
44.208.168.71
PostgreSQL settings and authentication
You must have sufficient access and familiarity with your PostgreSQL data source so you can provide:
- Required connection settings (e.g., URL and server variables).
- Authentication credentials (e.g., API keys).
In some cases, you may need to make changes to your PostgreSQL configuration, such as generating authentication credentials or allowing access through a firewall. Refer to the configuration and authentication sections to learn more.
Sufficient user permissions to create resources
All users for Retool organizations on Free or Team plans have global Edit permissions and can add, edit, and remove resources. If your organization manages user permissions for resources, you must be a member of a group with Edit all permissions.
Allow your deployment to access the data source
Your self-hosted deployment must have access to the data source. Ensure that any potential firewall rules for either the data source or your deployment instance are updated to allow them to communicate.
PostgreSQL settings and authentication
You must have sufficient access and familiarity with your PostgreSQL data source so you can provide:
- Required connection settings (e.g., URL and server variables).
- Authentication credentials (e.g., API keys).
In some cases, you may need to make changes to your PostgreSQL configuration, such as generating authentication credentials or allowing access through a firewall. Refer to the configuration and authentication sections to learn more.
1. Configure the resource
Sign in to your Retool organization and navigate to the Resources tab. Click Create new > Resource, then select PostgreSQL.
Configuration
Specify the name, location, and description to use for your PostgreSQL resource. Retool displays the resource name and type in query editors to help users identify them.
Provide the following configuration settings to create the resource. Depending on how your data source is configured, you may also need to provide optional settings for Retool to connect.
You can automatically populate resource configuration fields by importing an AWS-hosted data source or providing a database connection string.
- Cloud-hosted organizations
- Self-hosted organizations
Name
The name to use for the resource.
Description
A description of the resource.
Host
The host server address.
Port
The host server connection port.
Database name
The name of the database to use.
Connection options
Key-value pairs to configure the connection.
Disable converting queries to prepared statements
Whether to disable SQL injection protection that allows dynamically generated SQL using JavaScript.
Show write GUI mode only
Whether to prevent users from writing raw SQL statements and only make changes using GUI mode queries.
Enable SSH tunnel
Override default outbound Retool region
Retool connects to your data source from the us-west-2 region. Choosing a different outbound region can improve performance through geographic proximity.
| Region | Location |
|---|---|
| us-west-2 | US West (Oregon) |
| eu-central-1 | (Frankfurt, Germany) |
Name
The name to use for the resource.
Description
A description of the resource.
Host
The host server address.
Port
The host server connection port.
Database name
The name of the database to use.
Connection options
Key-value pairs to configure the connection.
Disable converting queries to prepared statements
Whether to disable SQL injection protection that allows dynamically generated SQL using JavaScript.
Show write GUI mode only
Whether to prevent users from writing raw SQL statements and only make changes using GUI mode queries.
Enable SSH tunnel
Authentication
The PostgreSQL integration supports the following authentication methods. Depending on which authentication method you use, you may need to make changes to your PostgreSQL configuration.
- Cloud-hosted organizations
- Self-hosted organizations
Username and password
Authentication is performed with a username and password. You must be able to obtain and provide these credentials to create the resource.
AWS Identity and Access Management
Authentication is performed using the provided AWS security credentials. You must be able to obtain and provide these credentials to create the resource.
Database username
The username with which to authenticate.
Region
The AWS region with which to connect (e.g., us-east-1). This is often part of the base URL.
| Region | Location |
|---|---|
| us-east-1 | US East (N. Virginia) |
| us-east-2 | US East (Ohio) |
| us-west-1 | US West (N. California) |
| us-west-2 | US West (Oregon) |
| af-south-1 | Africa (Cape Town) |
| ap-east-1 | Asia Pacific (Hong Kong) |
| ap-northeast-1 | Asia Pacific (Tokyo) |
| ap-northeast-2 | Asia Pacific (Seoul) |
| ap-northeast-3 | Asia Pacific (Osaka) |
| ap-south-1 | Asia Pacific (Mumbai) |
| ap-south-2 | Asia Pacific (Bahrain) |
| ap-southeast-1 | Asia Pacific (Singapore) |
| ap-southeast-2 | Asia Pacific (Sydney) |
| ap-southeast-3 | Asia Pacific (Jakarta) |
| ap-southeast-4 | Asia Pacific (Hong Kong) |
| ca-central-1 | Canada (Central) |
| eu-central-1 | Europe (Frankfurt) |
| eu-central-2 | Europe (Warsaw) |
| eu-north-1 | Europe (Stockholm) |
| eu-south-1 | Europe (Milan) |
| eu-south-2 | Europe (London) |
| eu-west-1 | Europe (Ireland) |
| eu-west-2 | Europe (London) |
| eu-west-3 | Europe (Paris) |
| me-central-1 | Middle East (Bahrain) |
| me-south-1 | Middle East (Bahrain) |
| sa-east-1 | South America (São Paulo) |
| us-gov-east-1 | AWS GovCloud (US-East) |
| us-gov-west-1 | AWS GovCloud (US-West) |
Access key ID
The access key ID with which to authenticate.
Secret key ID
The secret key ID with which to authenticate.
Role to assume (ARN)
A different role to use for accessing the API.
AWS Identity and Access Management
Authentication is performed using the provided AWS security credentials. You must be able to obtain and provide these credentials to create the resource.
Database username
The username with which to authenticate.
Credential provider chain
Authentication is performed using AWS credentials sourced from the credential provider chain. Use this option to authenticate with credentials provided in environment variables or the underlying instance role.
Region
The AWS region with which to connect (e.g., us-east-1). This is often part of the base URL.
| Region | Location |
|---|---|
| us-east-1 | US East (N. Virginia) |
| us-east-2 | US East (Ohio) |
| us-west-1 | US West (N. California) |
| us-west-2 | US West (Oregon) |
| af-south-1 | Africa (Cape Town) |
| ap-east-1 | Asia Pacific (Hong Kong) |
| ap-northeast-1 | Asia Pacific (Tokyo) |
| ap-northeast-2 | Asia Pacific (Seoul) |
| ap-northeast-3 | Asia Pacific (Osaka) |
| ap-south-1 | Asia Pacific (Mumbai) |
| ap-south-2 | Asia Pacific (Bahrain) |
| ap-southeast-1 | Asia Pacific (Singapore) |
| ap-southeast-2 | Asia Pacific (Sydney) |
| ap-southeast-3 | Asia Pacific (Jakarta) |
| ap-southeast-4 | Asia Pacific (Hong Kong) |
| ca-central-1 | Canada (Central) |
| eu-central-1 | Europe (Frankfurt) |
| eu-central-2 | Europe (Warsaw) |
| eu-north-1 | Europe (Stockholm) |
| eu-south-1 | Europe (Milan) |
| eu-south-2 | Europe (London) |
| eu-west-1 | Europe (Ireland) |
| eu-west-2 | Europe (London) |
| eu-west-3 | Europe (Paris) |
| me-central-1 | Middle East (Bahrain) |
| me-south-1 | Middle East (Bahrain) |
| sa-east-1 | South America (São Paulo) |
| us-gov-east-1 | AWS GovCloud (US-East) |
| us-gov-west-1 | AWS GovCloud (US-West) |
Access key ID
The access key ID with which to authenticate.
Secret key ID
The secret key ID with which to authenticate.
Role to assume (ARN)
A different role to use for accessing the API.
SSL/TLS validation
Retool strongly recommends enabling SSL/TLS certificate validation whenever it's available. This ensures the connection is secure and prevents attackers from using invalid server certificates to gain access to your data.
Some resources support or require SSL/TLS validation. If needed, provide the following information to configure SSL.
CA Cert
The CA certificate to use.
Client key
The client key.
Client cert
The client certificate.
Verification mode
The mode with which Retool performs SSL/TLS verification.
| Mode | Description |
|---|---|
| Full verification | Verifies the server host matches the name stored in the server certificate and checks the CA certificate. |
| Verify CA certificate | This verifies the server by checking the certificate chain up to the root certificate stored on the client. |
| Skip CA certificate verification Caution | This establishes an encrypted connection without CA certificate verification. This mode is not recommended as your server could be vulnerable. |
3. Test the connection
Click Test Connection to verify that Retool can successfully connect to the data source. If the test fails, check the resource settings and try again.
Testing a connection only checks whether Retool can successfully connect to the resource. It cannot check whether the provided credentials have sufficient privileges or can perform every supported action.
4. Save the resource
Click Create resource to complete the setup. You can then click either Create app to immediately start building a Retool app or Back to resources to return to the list of resources.
Wrap up
Your PostgreSQL resource is now ready to use. To start querying data:
- Add a Resource query to an app or workflow.
- Select the PostgreSQL resource from the resources dropdown.
- Write and run a query.
Refer to the queries documentation to learn more about interacting with your data.