All posts
AlternativeSeptember 9, 20251 min read

Secure Postgres Access Anywhere with Identity-Aware Proxy and pgcli

The connection dropped the moment I needed it most. One second I was in my database shell, the next I was staring at an access denied message. Not because the database was down. Because the network had changed, and my IP no longer matched the firewall rules. That’s when Identity-Aware Proxy with pgcli stopped being optional. Identity-Aware Proxy (IAP) shifts database security from brittle, perimeter-based controls to identity-based gates. Instead of trusting an IP address, you trust the person

Free White Paper

Identity and Access Management (IAM) + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The connection dropped the moment I needed it most. One second I was in my database shell, the next I was staring at an access denied message. Not because the database was down. Because the network had changed, and my IP no longer matched the firewall rules.

That’s when Identity-Aware Proxy with pgcli stopped being optional.

Identity-Aware Proxy (IAP) shifts database security from brittle, perimeter-based controls to identity-based gates. Instead of trusting an IP address, you trust the person or service account requesting access. The access check happens before the connection reaches your database. This makes static network configurations and VPN dependencies unnecessary.

When you bring pgcli into the mix, you get a faster, more productive Postgres terminal experience with auto-completion, syntax highlighting, and readable formatting. Together with IAP, it means secure, authenticated connections to your database from anywhere, with a client that’s pleasant to use.

Continue reading? Get the full guide.

Identity and Access Management (IAM) + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The basic flow:

  1. Authenticate through the Identity-Aware Proxy with your account.
  2. Retrieve a tunnel or direct authenticated connection endpoint.
  3. Point pgcli to the IAP-secured connection, passing authentication tokens or using a configured context.

The big win here is zero management of IP allowlists or VPN endpoints. Instead, policy lives in your identity provider. Add a new engineer to the right group in IAM, and they can use pgcli to query production in seconds — assuming that’s what your policy allows. Remove them, and the door closes immediately.

Performance stays predictable because IAP handles auth without dragging packets through a slow VPN. Security is stronger because even if credentials leak, the attacker still needs to pass the identity gate. And productivity rises because pgcli makes database work smoother and less error-prone.

If you want to see this live without spending days setting it up, you can try it now. hoop.dev lets you spin up an Identity-Aware Proxy to your Postgres database and connect through pgcli in minutes. No custom scripts. No waiting for network tickets. Just fast, secure, identity-driven access — working now, not next quarter.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts