AlloyDB for PostgreSQL

AlloyDB for PostgreSQL is a fully-managed, PostgreSQL-compatible database for demanding transactional workloads.

About

AlloyDB for PostgreSQL is a fully-managed, PostgreSQL-compatible database for demanding transactional workloads. It provides enterprise-grade performance and availability while maintaining 100% compatibility with open-source PostgreSQL.

If you are new to AlloyDB for PostgreSQL, you can create a free trial cluster.

Available Tools

Pre-built Configurations

Requirements

IAM Permissions

By default, AlloyDB for PostgreSQL source uses the AlloyDB Go Connector to authorize and establish mTLS connections to your AlloyDB instance. The Go connector uses your Application Default Credentials (ADC) to authorize your connection to AlloyDB.

In addition to setting the ADC for your server, you need to ensure the IAM identity has been given the following IAM roles (or corresponding permissions):

  • roles/alloydb.client
  • roles/serviceusage.serviceUsageConsumer

Networking

AlloyDB supports connecting over both from external networks via the internet (public IP), and internal networks (private IP). For more information on choosing between the two options, see the AlloyDB page Connection overview.

You can configure the ipType parameter in your source configuration to public or private to match your cluster’s configuration. Regardless of which you choose, all connections use IAM-based authorization and are encrypted with mTLS.

Authentication

This source supports both password-based authentication and IAM authentication (using your Application Default Credentials).

Standard Authentication

To connect using user/password, create a PostgreSQL user and input your credentials in the user and password fields.

user: ${USER_NAME}
password: ${PASSWORD}

IAM Authentication

To connect using IAM authentication:

  1. Prepare your database instance and user following this guide.
  2. You could choose one of the two ways to log in:
    • Specify your IAM email as the user.
    • Leave your user field blank. Toolbox will fetch the ADC automatically and log in using the email associated with it.
  3. Leave the password field blank.

Example

sources:
    my-alloydb-pg-source:
        kind: alloydb-postgres
        project: my-project-id
        region: us-central1
        cluster: my-cluster
        instance: my-instance
        database: my_db
        user: ${USER_NAME}
        password: ${PASSWORD}
        # ipType: "public"

Tip

Use environment variable replacement with the format ${ENV_NAME} instead of hardcoding your secrets into the configuration file.

Reference

fieldtyperequireddescription
kindstringtrueMust be “alloydb-postgres”.
projectstringtrueId of the GCP project that the cluster was created in (e.g. “my-project-id”).
regionstringtrueName of the GCP region that the cluster was created in (e.g. “us-central1”).
clusterstringtrueName of the AlloyDB cluster (e.g. “my-cluster”).
instancestringtrueName of the AlloyDB instance within the cluster (e.g. “my-instance”).
databasestringtrueName of the Postgres database to connect to (e.g. “my_db”).
userstringfalseName of the Postgres user to connect as (e.g. “my-pg-user”). Defaults to IAM auth using ADC email if unspecified.
passwordstringfalsePassword of the Postgres user (e.g. “my-password”). Defaults to attempting IAM authentication if unspecified.
ipTypestringfalseIP Type of the AlloyDB instance; must be one of public or private. Default: public.
Last modified November 7, 2025: chore(main): release 0.19.1 (#1901) (cd8d68d)