Skip to main content
Version: v3.0

Database accounts

To give users access to a repository, you will map SSO users and SSO groups to database accounts that you've registered with Cyral.

A database account is a user account on your repository, DBaaS, or DBMS. When an SSO user attempts to connect to your repository through the Cyral sidecar, Cyral relies on that SSO user's mapped database account to authenticate with the underlying repository, such as a PostgreSQL database.

To register a database account in Cyral, follow the steps below. Later you will map each database account to the SSO users who will use it.

Register a database account


Each database account must have its credentials stored as a secret in your secrets manager. See the tabs below for help storing secrets.

The credentials secret for a database account must contain:

  • the username — the database user account name as stored in the repository system, like a PostgreSQL username, for example. Don't worry about the SSO user or group names now; you'll map those later in the Cyral UI.
  • the password — the database user's password used for direct authentication to the repository system


  1. In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the User Authentication tab.

  2. Click Register Database Account

  3. In the Database Account Username field, enter the name of the database account (for example, a PostgreSQL username) that will be used to connect. Click Next.

  4. Click the button that corresponds to your secrets storage type and click Next. For instructions, see the tab for your sercrets manager below:

If you have the ARN of your database credentials secret, paste it into the ARN field and click Create.

If you need to create a credentials secret, follow the instructions below.

Store the local account credentials as a JSON blob in AWS Secrets Manager. The secret's name must start with the prefix /cyral/dbsecrets/, which will become part of its ARN.

The JSON blob must follow one of the formats shown below. Cyral supports:

  • a single set of credentials (username/password) for one database, or
  • a list of credentials for multiple databases, where each set of credentials is identified for each database

For singular database accounts, store the local account credentials in the JSON format shown below.


  "username": "someuser",

  "password": "somepassword",

  "databaseName": "db1"


Note that databaseName is optional for singular credentials.

For multiple database accounts, store the local account credentials in the following JSON format:



    "username": "someuser",

    "password": "somepassword",

    "databaseName": "db1"



    "username": "someuser",

    "password": "anotherpassword",

    "databaseName": "db2"



Note that for multiple database accounts, databaseName is required so the sidecar can identify which database the credentials belong to.

See the AWS Secrets Manager tutorial for help storing secrets.

Next step

Now that you've saved your database account, you can map it to the SSO users who will use it. To do this, make sure your database account name is selected in the Database Accounts list of the User Authentication tab, and click Add Rule. For instructions, see the next section, Access rules for users and groups.