All posts
June 18, 20264 min read

Configuring AI coding agents access to Postgres with just-in-time access

An internal AI coding agent that automatically writes pull requests is given a hard‑coded PostgreSQL user with superuser rights. The bot runs nightly, pulls data, and pushes changes without any human eyes on the queries it issues. The organization wishes to move to just-in-time access, yet the credential remains permanent. When the credential is later compromised, the attacker can read every table, drop data, or exfiltrate PII, and the incident team has no record of which statements were execute

Free White Paper

Just-in-Time Access + AI Human-in-the-Loop Oversight: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An internal AI coding agent that automatically writes pull requests is given a hard‑coded PostgreSQL user with superuser rights. The bot runs nightly, pulls data, and pushes changes without any human eyes on the queries it issues. The organization wishes to move to just-in-time access, yet the credential remains permanent. When the credential is later compromised, the attacker can read every table, drop data, or exfiltrate PII, and the incident team has no record of which statements were executed. The team has no way to verify the agent’s actions or limit its scope.

Why just-in-time access matters for AI coding agents

AI‑driven automation is valuable, but it also expands the attack surface. A static database account gives the agent unrestricted reach for the lifetime of the secret. If the code that drives the agent is updated, the same credential persists, making it impossible to grant temporary privileges that match the exact workload. Just-in-time access solves that problem by issuing a scoped credential only for the duration of a single execution, then revoking it automatically. This approach reduces the window of exposure, enforces the principle of least privilege, and creates a clear audit boundary for every interaction with the database.

Architectural requirement: a data‑path enforcement point

Identity providers, OIDC tokens, and service‑account roles determine *who* can request a connection. Those components are essential for authentication, but they do not enforce *what* the request may do once it reaches the database. The enforcement point must sit on the data path, between the authenticated identity and the PostgreSQL server, so that every query can be inspected, recorded, and optionally transformed before it touches the backend.

In practice this means placing a gateway that terminates the client’s wire‑protocol connection, applies policy, and then forwards the request to the actual database. The gateway holds the database credential, so the AI agent does not have direct access to the password or IAM token. The gateway also knows the identity that originated the request, because the authentication layer has already validated the OIDC token.

Introducing hoop.dev as the enforcement gateway

hoop.dev fulfills the data‑path requirement by acting as a native wire‑protocol proxy for PostgreSQL. When an AI coding agent initiates a connection, it points its standard client (for example, psql) at the hoop.dev endpoint instead of the database host. hoop.dev validates the agent’s OIDC token, extracts group membership, and then decides whether to grant a temporary, scoped database session.

Because hoop.dev sits in the data path, it can provide the enforcement outcomes that are impossible with a pure identity‑only solution:

  • Query‑level audit logging: every SQL statement issued by the agent is recorded with the originating identity, timestamp, and result metadata. This creates a replayable trail for forensic analysis.
  • Inline data masking: columns that contain sensitive information (PII, PHI, financial data) are redacted in the response before they reach the agent, ensuring that the AI model never sees raw values.
  • Command blocking and guardrails: risky statements such as DROP DATABASE or DELETE FROM users where … can be blocked automatically, preventing accidental or malicious data loss.
  • Just‑in‑time approval workflows: for operations that exceed a predefined risk threshold, hoop.dev can pause the request and route it to a human approver, then resume the session once approved.
  • Session recording and replay: the entire interaction is captured, allowing teams to replay the exact sequence of commands that the AI agent performed.

All of these capabilities are enforced because hoop.dev is the only component that sees the traffic between the agent and PostgreSQL. Without the gateway, the static credential would remain the sole enforcement mechanism, and none of the above outcomes would be possible.

Continue reading? Get the full guide.

Just-in-Time Access + AI Human-in-the-Loop Oversight: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How the pieces fit together

The overall flow looks like this:

  1. Setup: configure an OIDC provider (Okta, Azure AD, Google Workspace, etc.) and create a group that represents AI coding agents. Assign the group the permission to request Postgres access.
  2. Gateway deployment: run hoop.dev as a Docker Compose service or in Kubernetes, as described in the getting‑started guide. The gateway holds the permanent PostgreSQL credential and terminates TLS connections.
  3. Request: the AI agent authenticates to the OIDC provider, receives a short‑lived token, and connects to hoop.dev using its normal client.
  4. Policy enforcement: hoop.dev validates the token, checks the group membership, and creates a just‑in‑time database session. It then applies masking, guardrails, and logging as the agent issues queries.
  5. Audit and replay: after the session ends, logs and recordings are stored in the configured backend, ready for compliance reviews or incident investigations.

This pattern isolates the risky part of the workflow, the direct database interaction, behind a single, controllable component. Teams can therefore grant AI agents the power to read schema information or run migrations on demand, while still maintaining a tight audit and data‑protection envelope.

Benefits for security and operations teams

Security engineers gain a reliable source of evidence for every AI‑driven query, satisfying audit requirements without asking developers to add instrumentation to their code. Operations teams no longer need to rotate shared passwords whenever a bot is decommissioned; the temporary session expires automatically. Developers keep using familiar tools, because hoop.dev speaks the native PostgreSQL wire protocol, so there is no learning curve or client rewrite.

Getting started

To try this approach, follow the step‑by‑step instructions in the learn section, which walks through OIDC configuration, gateway deployment, and connection registration for PostgreSQL. The repository contains the Docker Compose file and Helm chart you need to spin up a test environment.

Explore the open‑source repository to get started quickly. The community provides examples for AI agents, and the docs cover best practices for just‑in‑time access, masking policies, and approval workflows.

FAQ

Does hoop.dev store database passwords?

No. The gateway holds the credential in memory and does not expose it to the client. The AI agent authenticates only with its OIDC token.

Can I mask only specific columns?

Yes. hoop.dev’s masking policies let you define which tables and columns are redacted, so sensitive fields never leave the gateway.

What happens if an approval is denied?

The request is terminated by hoop.dev and the session is logged as “blocked”. No partial commands are executed.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot