PAM DB
Privileged Access Management for just-in-time database access via Slack
PAM DB (Privileged Access Management for Database) is a just-in-time (JIT) database access system that grants engineers temporary read-only access to production databases via Slack commands.
ArgoCD Resource
| Property | Value |
|---|---|
| Kind | Application |
| Name | pamdb |
| Namespace | argocd |
| Destination Namespace | pam-system |
| Project | infra-services |
| Source Type | Kustomize |
| File Path | k8s/infra-services/argocd/overlays/infra-platform-cluster/apps/pamdb.yaml |
Application Definition
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: pamdb
labels:
cluster: 'infra-platform-mgmt'
environment: 'prod'
finalizers:
- resources-finalizer.argocd.argoproj.io
annotations:
notifications.argoproj.io/subscribe.on-app-synced.slack: platform-infra-notifications
notifications.argoproj.io/subscribe.on-app-outofsync.slack: platform-infra-notifications
notifications.argoproj.io/subscribe.on-app-sync-failed.slack: platform-infra-notifications
notifications.argoproj.io/subscribe.on-app-degraded.slack: platform-infra-notifications
spec:
syncPolicy:
automated:
prune: true
destination:
namespace: pam-system
server: https://kubernetes.default.svc
project: infra-services
source:
path: k8s/infra-services/pamdb/deployments/k8s
repoURL: https://github.com/Titanbay/infra-services
targetRevision: 'chore/slack-db-pam'
Note
This Application currently tracks a feature branch (chore/slack-db-pam). Once merged, it will track main.Manifest Organisation
The PAM DB manifests are located in the service’s deployment directory:
k8s/infra-services/pamdb/
├── cmd/ # Go source code
│ ├── webhook/main.go # HTTP server & Slack handler
│ └── cleanup/main.go # Cleanup job for expired roles
├── pkg/ # Shared Go packages
├── deployments/
│ ├── docker/Dockerfile # Container image
│ └── k8s/ # Kubernetes manifests (ArgoCD source)
│ ├── kustomization.yaml # Kustomization with labels
│ ├── namespace.yaml # pam-system namespace
│ ├── serviceaccount.yaml # Service account
│ ├── secretstore.yaml # GCP Secret Manager store
│ ├── configmap.yaml # Whitelist configuration
│ ├── secret.yaml # ExternalSecret for credentials
│ ├── deployment.yaml # Webhook server deployment
│ ├── service.yaml # ClusterIP service
│ └── cronjob.yaml # Cleanup job for expired access
└── configs/whitelist.txt # Authorised email addresses
Key Components
| Resource | Purpose |
|---|---|
| Deployment | Go webhook server handling Slack /pamdb commands |
| CronJob | Revokes expired database roles automatically |
| ConfigMap | Whitelist of authorised email addresses |
| ExternalSecret | Database and Slack credentials |
| SecretStore | GCP Secret Manager integration |
Features
- Slack Integration: Request access via
/pamdbslash command - Whitelist Control: Only pre-approved emails can request access
- Time-Limited Access: Automatically expires after 4 hours (configurable)
- Read-Only Grants: SELECT-only permissions on all tables
- Automatic Cleanup: CronJob revokes expired access
- Cloud SQL Connector: Native Go library for secure Cloud SQL connections
How to Update
Modifying Configuration
- Edit the appropriate file in
k8s/infra-services/pamdb/deployments/k8s/ - Commit and push to the tracked branch
- ArgoCD auto-syncs the changes
Updating the Whitelist
- Edit
deployments/k8s/configmap.yamlto add/remove authorised emails - Commit and push
- The service can reload the whitelist without restart via
POST /reload
Updating the Application
- Modify Go source code in
cmd/orpkg/ - Build and push a new container image
- Update the image tag in
deployments/k8s/deployment.yaml - Commit and push
Secrets Management
PAM DB credentials are managed via External Secrets:
| Secret | Purpose |
|---|---|
SLACK_SIGNING_SECRET | Slack request verification |
SLACK_BOT_TOKEN | Slack API access |
DB_ADMIN_USER | Database admin username |
DB_ADMIN_PASSWORD | Database admin password |
Notifications
The Application sends Slack notifications to #platform-infra-notifications for:
- Sync success
- Out of sync detection
- Sync failures
- Degraded health