Database Configuration

Postgres

ZITADEL with Postgres

If you want to use a PostgreSQL database you can overwrite the default configuration. Make sure to read our Production Guide before you decide to use it.

Currently versions >= 14 are supported.

Postgres can be configured as follows:

Database:
  postgres:
    Host: localhost
    Port: 5432
    Database: zitadel
    MaxOpenConns: 25
    MaxIdleConns: 10
    MaxConnLifetime: 1h
    MaxConnIdleTime: 5m
    Options:
    User:
      Username: zitadel
      Password: zitadel
      SSL:
        Mode: disable
        RootCert:
        Cert:
        Key:
    Admin:
      Username: postgres
      Password: postgres
      SSL:
        Mode: disable
        RootCert:
        Cert:
        Key:

The admin user is only needed for the installation step but can also be avoided by preparing the necessary requirements:

• the zitadel user
• the zitadel database
• granting required permissions to the zitadel user

CREATE ROLE zitadel LOGIN;
CREATE DATABASE zitadel;
GRANT CONNECT, CREATE ON DATABASE zitadel TO zitadel;

Don't forget to adjust pg_hba.conf and set a password for the zitadel user.

With the setup done, follow the phases guide to run the init and then setup phase to get all necessary tables and data set up.

Cockroach

ZITADEL with Cockroach

The default database of ZITADEL is CockroachDB. The SQL database provides a bunch of features like horizontal scalability, data regionality and many more.

The default configuration of the database looks like this:

Database:
  cockroach:
    Host: localhost
    Port: 26257
    Database: zitadel
    MaxOpenConns: 20
    MaxConnLifetime: 30m
    MaxConnIdleTime: 30m
    Options: ""
    User:
      Username: zitadel
      Password: ""
      SSL:
        Mode: disable
        RootCert: ""
        Cert: ""
        Key: ""
    Admin:
      Username: root
      Password: ""
      SSL:
        Mode: disable
        RootCert: ""
        Cert: ""
        Key: ""

Zitadel credentials

The init phase of Zitadel creates a the zitadel user (Database.*.User.Username & Database.*.User.Password) with their password if it does not exist (and Admin credentials are passed). It is though to note that it does neither update nor deprecate them. In case you provisioned a Zitadel setup with insecure or easy-to-guess values you should first of all rotate them but also manually ensure, that the old role/user gets deprecated.

If you rotate the credentials you either must opt for a new username or deprecate the old user first (might lead to interruptions) since the init phase will fail if the user already exists but only the password changes. To deprecate the old user you need admin access to your database server and remove the user with commands matching your database provider.

caution

Recreating a database will not necessarily remove the user, make sure to check for the user and remove it if necessary.