The connection is locked behind a wall you cannot bypass—until you drop an Identity-Aware Proxy between you and the database.
An Identity-Aware Proxy (IAP) lets you control database access by enforcing authentication before a single query runs. Instead of exposing your database to the network, you tunnel through the proxy with verified credentials tied to real user identities. This means no leaked passwords in scripts, no open ports, and no guessing who ran what.
Pgcli is a fast, feature-rich command-line client for PostgreSQL. It offers autocompletion, syntax highlighting, and an ergonomic workflow for fast database operations. By routing Pgcli traffic through an Identity-Aware Proxy, you combine speed with zero-trust security. Every session is verified. Every query is traceable. Unauthorized users never reach the database.
To set it up, you run the IAP on a secure host or as a managed service. The proxy authenticates the user via OAuth, SSO, or your identity provider before forwarding connections to the PostgreSQL server. Pgcli then connects to the proxy host instead of the database directly. The IAP enforces least-privilege access, and you can log all activity at the identity level.
This approach is scalable. Add users without sharing passwords. Rotate credentials without downtime. Restrict access by role or project. Disconnect instantly when someone leaves the team. Because Pgcli speaks standard PostgreSQL protocol, the IAP sits in the middle without slowing queries or breaking features.
Identity-Aware Proxy with Pgcli is not just a security upgrade—it’s a control plane for your data layer. It stops accidental exposure and makes compliance straightforward. It gives immediate visibility into database usage without touching application code.
You can skip building all of this from scratch. hoop.dev lets you wrap your database in an Identity-Aware Proxy and start using Pgcli against it in minutes. Secure your workflow. See it live now at hoop.dev.