> ## Documentation Index
> Fetch the complete documentation index at: https://docs.withorb.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Postgres

## Prerequisites

* [ ] If your Postgres database is protected by security groups or other firewall settings, you will need to have the data syncing service's static IP available to complete Step 1.

## Step 1: Allow access

Create a rule in a security group or firewall settings to whitelist:

* incoming connections to your host and port (usually `5432`) from `35.192.85.117`.
* outgoing connections from ports `1024` to `65535` to `35.192.85.117`.

> 📘 Optional: SSH tunneling
>
> If your database is not accessible from the public internet, SSH tunneling through a bastion host is supported. Allow inbound SSH (port `22`) from the static egress IP on the bastion host, create an SSH user with the service's public key in `~/.ssh/authorized_keys` (contact support for the key), and grant the bastion host's IP access to the database port in place of the static egress IP. Provide the bastion host address, port, and username in the destination configuration.

## Step 2: Create writer user

Create a database user to perform the writing of the source data.

1. Open a connection to your PostgreSQL database.
2. Create a user for the data transfer by executing the following SQL command.

```sql theme={null}
CREATE USER <username> PASSWORD '<some-password>';
```

> 🚧 Credential character limitations
>
> For user credentials containing special characters, please avoid using the following characters: `@`, `[`, `]`, `/`, `?`, `#`, `"`, `\\`, `+`, space, `&`, `:`, `%` as these characters can break connection string parsing.

3. Grant user `create` and `temporary` privileges on the database. `create` allows the service to create new schemas and `temporary` allows the service to create temporary tables.

```sql theme={null}
GRANT CREATE, TEMPORARY ON DATABASE <database> TO <username>;
```

> 🚧 **If the `schema` already exists**
>
> By default, the service creates a new schema based on the destination configuration (in the next step). If you prefer to create the schema yourself before connecting the destination, you must ensure that the writer user has the proper permissions on the schema, using `GRANT ALL ON schema <schema> TO <username>;`

## Step 3: Add your destination

Securely connect your system to Orb using the Data Export UI under Settings -> Data Exports.

## Permissions checklist

* Database user has `CREATE` and `TEMPORARY` on the target database.
* If using a pre-created schema: user has `GRANT ALL ON SCHEMA <schema>`.
* Firewall or security group allows the service's egress IP on port 5432. If using SSH tunneling, allow the egress IP on port 22 on the bastion host instead.

## FAQ

### Q: How is the PostgreSQL connection secured?

**A:** We connect using the credentials you provide (host, port, username, password) over TCP. If your database is not publicly accessible, SSH tunneling through a bastion host is supported. The service uses public key authentication for bastion access.

### Q: What PostgreSQL versions are supported?

**A:** PostgreSQL 13 and above are fully supported. PostgreSQL 12 is best-effort only.

### Q: Do I need to pre-create the schema?

**A:** No. The schema provided in the destination configuration is created automatically on first sync. If you pre-create it, grant `ALL` on the schema to the writer user and you may remove the database-level `CREATE` permission (retain `TEMPORARY`).
