Skip to main content

What You’ll Accomplish

The Provisioning hub gives platform and security teams a single place to own the full lifecycle of database access roles across all PostgreSQL resources connected to Hoop:
  • Import your databases into a managed Inventory catalog
  • Configure admin credentials that Hoop uses to apply changes
  • Declare the roles you need and let Hoop compute a dry-run plan before touching anything
  • Apply approved plans and watch every SQL operation captured in an audit session
  • Retrieve generated credentials from the Hoop Resource Role that Hoop creates for each provisioned role
The workflow mirrors Terraform: plan → review → apply. Nothing changes in Postgres until you explicitly approve it.

How It Works

Hoop connects to Postgres using the admin credentials you supply, introspects the live catalog state, computes the minimum SQL diff required to reach the desired role configuration, and executes it — recording every statement in a session for audit.
1

Inventory

Import your PostgreSQL instances into the catalog. Each resource tracks host, port, type, and setup progress.
2

Manage

Supply an admin account (username + password) per resource. Hoop uses this account to run CREATE ROLE, GRANT, and REVOKE statements.
3

Provision

Define roles, scopes, and privileges. Run a plan to see the exact SQL diff, then apply it. Hoop creates a Resource Role for each provisioned role so team members can start using it immediately.

Role Types

Managed

Hoop fully owns the role:
  • Creates the role if it does not exist
  • Manages the password (rotates on each apply when --rotate-password is used)
  • Grants the specified USAGE on schemas and SELECT / INSERT / … on tables within each scope
  • Reconciles grants on each apply — adding or revoking as the scope list changes
Use managed when you want Hoop to issue credentials that Hoop itself controls end-to-end.

External

Hoop creates the role (if missing) and runs GRANT <source_role> TO <new_role>, giving the new role all privileges the source role has. No per-table grants are managed. Use external when an existing superuser or read-all role already covers the access needed — for example, inherits pg_read_all_data.
Ready to set it up? The Resource Provisioning configuration guide walks through building the inventory, configuring admin accounts, provisioning roles with the plan/apply workflow (Web App or CLI), and reading the audit sessions.

After Provisioning

Once a role is applied, Hoop automatically creates or updates a Resource Role for that role. Team members can connect via the Web App or CLI using that resource role — Hoop injects the credentials at session time without exposing them to users.

Access Control

Restrict provisioned Resource Roles to specific user groups

Session Recording

Every plan and apply is recorded — review the full SQL audit trail

Live Data Masking

Mask sensitive columns in query output even for provisioned roles

CLI Reference

Full flag reference for hoop resources plan, apply, and more