> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tensor9.com/llms.txt
> Use this file to discover all available pages before exploring further.

# PostgreSQL

> Customer-provided PostgreSQL database in place of default-shipped PostgreSQL

<img src="https://mintcdn.com/tensor9/kMegASiqfYYqVuji/images/diagrams/customer-provided-postgresql-overview-dark.svg?fit=max&auto=format&n=kMegASiqfYYqVuji&q=85&s=1d8e1a80f4e77cdccfb63fae5317857e" className="block dark:hidden" alt="Customer-provided PostgreSQL: the origin stack uses PostgreSQL; the customer can plug in an AWS-managed instance (RDS or Aurora), a cloud-managed instance (Cloud SQL, AlloyDB, etc.), or a self-hosted Postgres deployment." width="1300" height="720" data-path="images/diagrams/customer-provided-postgresql-overview-dark.svg" />

<img src="https://mintcdn.com/tensor9/kMegASiqfYYqVuji/images/diagrams/customer-provided-postgresql-overview-light.svg?fit=max&auto=format&n=kMegASiqfYYqVuji&q=85&s=958f2458136243a3f1b1e968e6d06b6d" className="hidden dark:block" alt="Customer-provided PostgreSQL: the origin stack uses PostgreSQL; the customer can plug in an AWS-managed instance (RDS or Aurora), a cloud-managed instance (Cloud SQL, AlloyDB, etc.), or a self-hosted Postgres deployment." width="1300" height="720" data-path="images/diagrams/customer-provided-postgresql-overview-light.svg" />

If your origin stack uses PostgreSQL as its relational store, your customer can supply their own PostgreSQL instance (RDS, Cloud SQL, Aurora, self-hosted, etc.) and the compiler will emit a deployment stack that talks to it instead of provisioning a default-shipped database.

## What the customer provides

| Field                                                   | Purpose                                                                                                        |
| ------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| **Hostname**                                            | The `host` (or `host:port` if non-default) of the PostgreSQL endpoint.                                         |
| **Database name**                                       | The PostgreSQL database the appliance's services should connect to.                                            |
| **Username**                                            | The role the appliance authenticates as.                                                                       |
| **Password (or IAM role / managed-identity reference)** | The credential for the role. The appliance can use a static password or, where supported, an IAM-backed token. |
| **CA certificate** *(optional)*                         | The trust anchor for the PostgreSQL server's TLS certificate when the customer uses a private CA.              |

The customer is responsible for creating the database, granting the appliance role the privileges it needs, and applying any schema migrations your application requires.

## What changes in the deployment stack

When customer-provided PostgreSQL is selected, the compiler:

* Drops the default-shipped PostgreSQL instance from the deployment stack (no RDS instance, no managed-instance provisioning, no automated backups).
* Wires the appliance's services to the customer's hostname and database.
* Injects the customer's credentials as secrets the services read at startup.

Your application code does not change. The connection string changes; the SQL the application emits does not.

## What the customer takes on

When your customer brings their own PostgreSQL, they own:

* Provisioning, instance sizing, and capacity planning.
* Backup, retention, and restore. Point-in-time recovery is the customer's PostgreSQL provider's feature, not Tensor9's.
* Patching and version upgrades. The customer's PostgreSQL major version must remain compatible with your application's requirements.
* High availability, read-replica topology, and failover.
* Connection pooling, if the appliance's connection count exceeds what the customer's deployment can handle directly.
* Monitoring, alerting, and incident response for the PostgreSQL instance itself.

## What stays your responsibility

* All application-level database concerns: schema design, query performance, application-managed migrations, data correctness.
* Your services continue to be observable through Tensor9's normal mechanisms (logs, metrics, traces) even though the database isn't.
* [Operations](/fundamentals/operations) commands that operate on the appliance's services still work normally. Operations commands cannot reach into your customer's PostgreSQL.

## Authentication and rotation

The username and password (or IAM role / managed-identity reference) are stored as [Customer-Supplied Secrets](/fundamentals/secrets#secret-ownership-models) - Tensor9 has no visibility into the underlying value. The appliance reads them at startup and on connection-pool establishment.

Two rotation paths:

* **Static password**: rotate the password in the customer's secret store and restart the affected services so they reconnect with the new credential.
* **IAM-backed auth** (RDS IAM, Cloud SQL IAM): the appliance assumes the customer-supplied IAM role at runtime and the underlying STS token is refreshed automatically (15-minute TTL on AWS). The customer rotates the role / policy, not the credential.

## Where this fits

This page is one of the services covered by [Customer-Provided Services](/customizations/customer-provided-services). For automatic cross-cloud substitution (RDS → Cloud SQL based on form factor), see [Service equivalents](/fundamentals/service-equivalents).
