To enable Active Directory integration, you must have the following:
An AlloyDB Omni cluster deployed in a Kubernetes environment
An Active Directory server keytab
Migrate from AlloyDB Omni Kubernetes operator 1.4.0 to 1.5.0
If you're using Active Directory Integration in AlloyDB Omni operator
version 1.4.0 or earlier, you must migrate to AlloyDB Omni operator
version 1.5.0.
To migrate to AlloyDB Omni operator version 1.5.0, follow these steps:
Create a new UserDefinedAuthentication resource manifest.
Populatespec.dbclusterRefwith the target DBCluster name.
Populatespec.keytabSecretRefwith the name of the keytab secret.
Copy the existingpg_hba.confrules that are relevant to the Active Directory
and Kerberos authentication into thespec.pgHbaEntriesfield.
Copy the existingpg_ident.conf rules(if any) into thespec.pgIdentEntriesfield.
Apply this new manifest, for example,kubectl apply -f user-auth-crd.yaml.
Remove the Preview Configuration & Redeploy Cluster.
In the DBCluster resource definition, remove all annotations that you
previously used to configure Active Directory integration, for example,
host based authentication (HBA) rules, ident rules, and keytab file annotation.
Delete thepg_hbaandpg_identconfig maps that you created.
USER_DEFINED_AUTHENTICATION_NAME: the name of the
UserDefinedConfiguration, for example,DB_CLUSTER_NAME-ad-auth.
DB_CLUSTER_NAMESPACE: the Kubernetes namespace for this backup plan.
The namespace must match the namespace of the database cluster.
DB_CLUSTER_NAME: the name of your database cluster, which you
assigned when youcreated it.
KEYTAB_SECRET_NAME: the name of the keytab that you created.
PG_HBA_ENTRIES:pg_hba.confentries as a string list. These entries
overwrite the default entries inpg_hba.conf. If you add an invalid
configuration, users can't sign in.
In the preceding example, you added entries for GSS-based authentication
followed by password-based authentication. This means that the user is
signed in using the GSS API. If this signin approach fails, then
password-based authentication is used as a fallback.
PG_IDENT_ENTRIES:pg_ident.confentries as a string list. To implement
username mapping, specifymap=in the options field in thepg_hba.conffile. For more information, seeIdent Maps.
See the following example:
apiVersion:v1kind:Secretmetadata:name:db-keytab-dbcluster-sampletype:Opaquedata:krb5.keytab:|DUMMY_KEYTAB---apiVersion:alloydbomni.dbadmin.goog/v1kind:UserDefinedAuthenticationmetadata:name:dbcluster-sample-ad-authspec:dbclusterRef:name:dbcluster-samplekeytabSecretRef:name:db-keytab-dbcluster-samplepgHbaEntries:-hostgssenc all all 0.0.0.0/0 gss-hostgssenc all all ::1/128 gss-hostssl all all 0.0.0.0/0 scram-sha-256-hostssl all all ::/0 scram-sha-256pgIdentEntries:-usermap active_directory_user postgres_user
Create database roles as an Active Directory user
Create a role in your database that matches the Active Directory user.
To create a role for your Active Directory user,connect to the clusterand run the following commands:
username=# CREATE ROLE "USERNAME@REALM" WITH LOGIN;
Sign into the database using the Active Directory user. You must havekinitenabled in the client where you are connecting. In this example, thepostgres-clientpod has kinit and psql installed and is configured to
connect to the AlloyDB Omni cluster using psql client.
kubectl exec -it postgres-client -nDB_CLUSTER_NAMESPACE-- bash
root:/# kinitUSERNAMEPassword forUSERNAME@REALM:
root:/# psql -hHOSTNAME-dDB_NAME-UUSERNAME@REALMpsql (16.6 (Ubuntu 16.6-0ubuntu0.24.04.1), server 16.3)
GSSAPI-encrypted connection
Type "help" for help.
Run SQL queries.
username=#select*fromTABLE_NAME;
Disable Active Directory authentication
To disable Active Directory authentication, run the following Helm command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-08 UTC."],[],[],null,["Select a documentation version: 16.8.0keyboard_arrow_down\n\n- [Current (16.8.0)](/alloydb/omni/current/docs/integrate-active-directory-kubernetes-operator)\n- [16.8.0](/alloydb/omni/16.8.0/docs/integrate-active-directory-kubernetes-operator)\n- [16.3.0](/alloydb/omni/16.3.0/docs/integrate-active-directory-kubernetes-operator)\n\n\u003cbr /\u003e\n\nThis document describes how to enable [Active Directory](https://en.wikipedia.org/wiki/Active_Directory) integration on your Kubernetes-based AlloyDB Omni database cluster so that you can allow your existing Active Directory-based users to access your AlloyDB Omni database. Active Directory integration provides authorization using GSSAPI for users authenticated using the Kerberos mechanism to access AlloyDB Omni.\n\n\u003cbr /\u003e\n\nFor more information, see [Active Directory overview](/alloydb/omni/16.8.0/docs/active-directory-overview).\n| **Note:** Active Directory integration is only available in AlloyDB Omni version 16.3.0 and higher.\n\nThis document assumes that you're familiar with\n[applying Kubernetes manifest files](https://kubernetes.io/docs/concepts/overview/working-with-objects/)\nand using the kubectl command-line tool. For more information, see\n[Command line tool (kubectl)](https://kubernetes.io/docs/reference/kubectl/).\n\nBefore you begin\n\nTo enable Active Directory integration, you must have the following:\n\n- An AlloyDB Omni cluster deployed in a Kubernetes environment\n- An Active Directory server keytab\n\nMigrate from AlloyDB Omni Kubernetes operator 1.4.0 to 1.5.0\n\nIf you're using Active Directory Integration in AlloyDB Omni operator\nversion 1.4.0 or earlier, you must migrate to AlloyDB Omni operator\nversion 1.5.0.\n\nTo migrate to AlloyDB Omni operator version 1.5.0, follow these steps:\n\n1. [Upgrade the AlloyDB Omni operator to version 1.5.0](/alloydb/omni/16.8.0/docs/upgrade-kubernetes-operator-version).\n2. Create a user defined authentication resource.\n 1. Create a new UserDefinedAuthentication resource manifest.\n 2. Populate `spec.dbclusterRef` with the target DBCluster name.\n 3. Populate `spec.keytabSecretRef` with the name of the keytab secret.\n 4. Copy the existing `pg_hba.conf` rules that are relevant to the Active Directory and Kerberos authentication into the `spec.pgHbaEntries` field.\n 5. Copy the existing `pg_ident.conf rules` (if any) into the `spec.pgIdentEntries` field.\n 6. Apply this new manifest, for example, `kubectl apply -f user-auth-crd.yaml`.\n3. Remove the Preview Configuration \\& Redeploy Cluster.\n 1. In the DBCluster resource definition, remove all annotations that you previously used to configure Active Directory integration, for example, host based authentication (HBA) rules, ident rules, and keytab file annotation.\n 2. Delete the `pg_hba` and `pg_ident` config maps that you created.\n 3. Re-apply the updated DBCluster manifest.\n\nConfigure Active Directory support\n\n1. Create and apply a secret with the keytab:\n\n apiVersion: v1\n kind: Secret\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eKEYTAB_SECRET_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDB_CLUSTER_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n type: Opaque\n data:\n krb5.keytab: |\n \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-no\"\u003eKEYTAB_FILE_CONTENT\u003c/span\u003e\u003c/var\u003e\n\n The following is an example command that generates a keytab on on the Active\n Directory server: \n\n ```\n ktpass /princ postgres/DBCLUSTER_HOST@REALM /Pass PASSWORD /mapuser postgres /crypto ALL /ptype KRB5_NT_Principal /out OUTPUT_PATH\n ```\n\n \u003cvar translate=\"no\"\u003eALLOYDB_HOST\u003c/var\u003e is the host which points to the DBCluster or the\n DBCluster IP Address.\n | **Note:** To obtain the base64-encoded keytab, use a command like the following: `cat postgres.keytab | base64`.\n2. Apply the following user defined authentication custom resource manifest:\n\n apiVersion: alloydbomni.dbadmin.goog/v1\n kind: UserDefinedAuthentication\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eUSER_DEFINED_AUTHENTICATION_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDB_CLUSTER_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n dbclusterRef:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDB_CLUSTER_NAME\u003c/span\u003e\u003c/var\u003e\n keytabSecretRef:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eKEYTAB_SECRET_NAME\u003c/span\u003e\u003c/var\u003e\n pgHbaEntries:\n \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePG_HBA_ENTRIES\u003c/span\u003e\u003c/var\u003e\n pgIdentEntries:\n \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePG_IDENT_ENTRIES\u003c/span\u003e\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eUSER_DEFINED_AUTHENTICATION_NAME\u003c/var\u003e: the name of the UserDefinedConfiguration, for example, \u003cvar translate=\"no\"\u003eDB_CLUSTER_NAME\u003c/var\u003e`-ad-auth`.\n - \u003cvar translate=\"no\"\u003eDB_CLUSTER_NAMESPACE\u003c/var\u003e: the Kubernetes namespace for this backup plan. The namespace must match the namespace of the database cluster.\n - \u003cvar translate=\"no\"\u003eDB_CLUSTER_NAME\u003c/var\u003e: the name of your database cluster, which you assigned when you [created it](/alloydb/omni/16.8.0/docs/deploy-kubernetes#create).\n - \u003cvar translate=\"no\"\u003eKEYTAB_SECRET_NAME\u003c/var\u003e: the name of the keytab that you created.\n - \u003cvar translate=\"no\"\u003ePG_HBA_ENTRIES\u003c/var\u003e: `pg_hba.conf` entries as a string list. These entries\n overwrite the default entries in `pg_hba.conf`. If you add an invalid\n configuration, users can't sign in.\n\n In the preceding example, you added entries for GSS-based authentication\n followed by password-based authentication. This means that the user is\n signed in using the GSS API. If this signin approach fails, then\n password-based authentication is used as a fallback.\n\n For more information, see\n [The pg_hba.conf File](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html).\n - \u003cvar translate=\"no\"\u003ePG_IDENT_ENTRIES\u003c/var\u003e: `pg_ident.conf` entries as a string list. To implement\n username mapping, specify `map=` in the options field in the\n `pg_hba.conf` file. For more information, see\n [Ident Maps](https://www.postgresql.org/docs/8.0/auth-methods.html#:%7E:text=19.2.4.3.%20Ident%20Maps).\n\n See the following example: \n\n apiVersion: v1\n kind: Secret\n metadata:\n name: db-keytab-dbcluster-sample\n type: Opaque\n data:\n krb5.keytab: |\n DUMMY_KEYTAB\n ---\n apiVersion: alloydbomni.dbadmin.goog/v1\n kind: UserDefinedAuthentication\n metadata:\n name: dbcluster-sample-ad-auth\n spec:\n dbclusterRef:\n name: dbcluster-sample\n keytabSecretRef:\n name: db-keytab-dbcluster-sample\n pgHbaEntries:\n - hostgssenc all all 0.0.0.0/0 gss\n - hostgssenc all all ::1/128 gss\n - hostssl all all 0.0.0.0/0 scram-sha-256\n - hostssl all all ::/0 scram-sha-256\n pgIdentEntries:\n - usermap active_directory_user postgres_user\n\nCreate database roles as an Active Directory user\n\n1. Create a role in your database that matches the Active Directory user.\n To create a role for your Active Directory user, [connect to the cluster](/alloydb/omni/16.8.0/docs/run-connect) and run the following commands:\n\n ```\n username=# CREATE ROLE \"USERNAME@REALM\" WITH LOGIN;\n ```\n2. Sign into the database using the Active Directory user. You must have `kinit`\n enabled in the client where you are connecting. In this example, the\n `postgres-client` pod has kinit and psql installed and is configured to\n connect to the AlloyDB Omni cluster using psql client.\n\n ```\n kubectl exec -it postgres-client -n DB_CLUSTER_NAMESPACE -- bash\n root:/# kinit USERNAME\n Password for USERNAME@REALM:\n\n root:/# psql -h HOSTNAME -d DB_NAME -U USERNAME@REALM\n psql (16.6 (Ubuntu 16.6-0ubuntu0.24.04.1), server 16.3)\n GSSAPI-encrypted connection\n Type \"help\" for help.\n ```\n3. Run SQL queries.\n\n username=# select * from \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-k\"\u003eTABLE_NAME\u003c/span\u003e\u003c/var\u003e;\n\nDisable Active Directory authentication\n\nTo disable Active Directory authentication, run the following Helm command: \n\n```\nhelm upgrade alloydbomni-operator PATH_TO_CHART -n alloydb-omni-system --set userDefinedAuthentication.enabled=false\n```\n\nThe command returns the following output: \n\n```\nRelease \"alloydbomni-operator\" has been upgraded. Happy Helming!\nNAME: alloydbomni-operator\nLAST DEPLOYED: CURRENT_TIMESTAMP\nNAMESPACE: alloydb-omni-system\nSTATUS: deployed\nREVISION: 2\nTEST SUITE: None\n```\n| **Note:** When you enable Active Directory authentication, the authentication modifies the `pg_hba.conf` file, which remains in that modified state until restart. When this happens, trigger a restart of the pods to reset `pg_hba.conf`. You must trigger a restart because when you disables User Defined Authentication, the entries in `pg_hba.conf` aren't reset to the default ones until the pod restarts.\n\nWhat's next\n\n- [Integrate Active Directory group support on Kubernetes](/alloydb/omni/16.8.0/docs/integrate-ad-group-support-kubernetes-operator).\n- [Troubleshoot Active Directory integration in AlloyDB Omni](/alloydb/omni/16.8.0/docs/troubleshoot-active-directory-integration)."]]
