Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Data sourcesbreadcrumb arrow PostgreSQLbreadcrumb arrow Configure
Grafana Cloud Enterprise Open source RSS
Last reviewed: May 4, 2026

Configure the PostgreSQL data source

This document explains how to configure the PostgreSQL data source and lists all configuration options. For general information on managing data sources, refer to Data source management.

Before you begin

  • You need the Organization administrator role to configure the data source. You can also configure it via YAML using Grafana provisioning or using Terraform.

  • Grafana includes a built-in PostgreSQL data source; no plugin installation is required.

  • Have your PostgreSQL security details ready (certificates and client keys, if using TLS/SSL).

  • Note your PostgreSQL version; you’ll be prompted for it during configuration.

Note

When adding a data source, the database user you specify should have only SELECT permissions on the relevant schemas and tables. Grafana does not validate the safety of queries, so users could run potentially harmful SQL (for example, DROP TABLE). Create a dedicated PostgreSQL user with restricted permissions to limit risk.

Example:

SQL 
CREATE USER grafanareader WITH PASSWORD 'password';
GRANT USAGE ON SCHEMA schema TO grafanareader;
GRANT SELECT ON schema.table TO grafanareader;

Replace schema and table with your schema and table names.

Add the PostgreSQL data source

Complete the following steps to set up a new PostgreSQL data source:

  1. Click Connections in the left-side menu.
  2. Click Add new connection.
  3. Type PostgreSQL in the search bar.
  4. Select the PostgreSQL data source.
  5. Click Add new data source in the upper right.

You are taken to the Settings tab where you will configure the data source.

PostgreSQL configuration options

Following is a list of PostgreSQL configuration options:

SettingDescription
NameSets the name you use to refer to the data source in panels and queries. Examples: PostgreSQL-DB-1.
DefaultToggle to set this specific PostgreSQL data source as the default pre-selected data source in panels and visualizations.

Connection section:

Note

Grafana Cloud users: Grafana Cloud can’t reach databases on localhost, 127.0.0.1, or private IP ranges (10.x, 172.16.x, 192.168.x) directly. If your PostgreSQL instance isn’t publicly accessible, you must set up Private data source connect (PDC) to establish a secure tunnel between Grafana Cloud and your private network. If you experience intermittent connection drops with the Docker-based PDC agent, try switching to the binary-based agent instead.

If your database is publicly accessible but protected by a firewall, you must allowlist the Grafana Cloud outbound IP addresses. Grafana Cloud doesn’t provide per-stack static IP addresses—only service-level IP ranges. For the current list of outbound IP addresses, refer to Allow Grafana Cloud IP addresses in a firewall.

SettingDescription
Host URLThe IP address/hostname and optional port of your PostgreSQL instance. The default PostgreSQL port is 5432. For IPv6 addresses, use the format [::1]:5432. To connect through a Unix socket, enter the socket directory path (for example, /var/run/postgresql).
Database nameThe name of your PostgreSQL database. This database is used as the default for queries in the query editor.

Authentication section:

SettingDescription
UsernameEnter the username used to connect to your PostgreSQL database.
PasswordEnter the password used to connect to the PostgreSQL database. This field is optional. If left empty, the PostgreSQL client driver resolves the password using the standard PostgreSQL password file (.pgpass). To use a non-default password file location, set the PGPASSFILE environment variable in the Grafana server process.
TLS/SSL ModeDetermines whether and how a secure TLS/SSL connection is negotiated with the server. Refer to the TLS/SSL mode reference for guidance on each mode. When set to disable, the TLS/SSL Method and Auth Details options aren’t visible.
TLS/SSL MethodDetermines how TLS/SSL certificates are configured.
- File system pathThis option allows you to configure certificates by specifying paths to existing certificates on the local file system where Grafana is running. Ensure this file is readable by the user executing the Grafana process.
- Certificate contentThis option allows you to configure certificates by specifying their content. The content is stored and encrypted in the Grafana database. When connecting to the database, the certificates are saved as files, on the local filesystem, in the Grafana data path.

TLS/SSL mode reference

Choose the TLS/SSL mode based on your security requirements and where your database is hosted:

ModeEncryptionServer identity verifiedWhen to use
disableNoNoLocal development or trusted private networks only. Don’t use in production.
requireYesNoRecommended minimum for cloud-hosted databases such as Amazon RDS, Azure Database for PostgreSQL, and Google Cloud SQL. Encrypts the connection but doesn’t verify the server’s certificate.
verify-caYesCA onlyUse when you need to confirm the server certificate is signed by a trusted CA but don’t need to verify the hostname.
verify-fullYesCA + hostnameMost secure option. Verifies both the CA and that the server hostname matches the certificate. Recommended for production when you control the certificates.

Note

Most cloud-hosted PostgreSQL services (Amazon RDS, Azure Database for PostgreSQL, Google Cloud SQL) require at minimum require mode. If you leave TLS/SSL Mode set to disable, the connection may be rejected by the server. Check your cloud provider’s documentation for the recommended sslmode setting.

TLS/SSL Auth Details:

If you select the TLS/SSL Mode options require, verify-ca or verify-full and file system path the following are required:

SettingDescription
TLS/SSL Root CertificateSpecify the path to the root certificate file.
TLS/SSL Client CertificateSpecify the path to the client certificate and ensure the file is accessible to the user running the Grafana process.
TLS/SSL Client KeySpecify the path to the client key file and ensure the file is accessible to the user running the Grafana process.

If you select the TLS/SSL Mode option require and TLS/SSL Method certificate content the following are required:

SettingDescription
TLS/SSL Client CertificateProvide the client certificate.
TLS/SSL Client KeyProvide the client key.

If you select the TLS/SSL Mode options verify-ca or verify-full with the TLS/SSL Method certificate content the following are required:

SettingDescription
TLS/SSL Client CertificateProvide the client certificate.
TLS/SSL Root CertificateProvide the root certificate.
TLS/SSL Client KeyProvide the client key.

PostgreSQL Options:

SettingDescription
VersionThe PostgreSQL server version. Determines which functions are available in the query builder. The default is 9.3. When you save the data source, Grafana auto-detects the server version and updates this field if it can connect successfully.
Min time intervalDefines a lower limit for the auto group by time interval. Grafana recommends aligning this setting with the data write frequency. For example, set it to 1m if your data is written every minute. Refer to Min time interval for format examples.
TimescaleDBA time-series database built as a PostgreSQL extension. When enabled, Grafana uses time_bucket in the $__timeGroup macro and displays TimescaleDB-specific aggregate functions in the query builder. Grafana auto-detects TimescaleDB on save if your server is version 9.6 or later and the extension is installed. For more information, refer to TimescaleDB documentation.

Connection limits:

These settings control how Grafana manages connections to your PostgreSQL server. Tune these values if you share the database with other applications or use connection pooling software such as PgBouncer.

SettingDescription
Max openThe maximum number of open connections to the database. The default is 100. Reduce this if your PostgreSQL server has a low max_connections limit or if multiple Grafana instances connect to the same database.
Auto max idleToggle to set the maximum number of idle connections to the number of maximum open connections. This setting is toggled on by default.
Max idleThe maximum number of connections in the idle connection pool. The default is 100. When using PgBouncer or similar connection pooling software, consider lowering this to avoid holding unnecessary connections.
Max lifetimeThe maximum amount of time in seconds a connection may be reused. The default is 14400 (4 hours). Set a lower value if your network or security policy requires periodic reconnection.

Private data source connect:

SettingDescription
Private data source connectOnly for Grafana Cloud users. Private data source connect, or PDC, allows you to establish a private, secured connection between a Grafana Cloud instance, or stack, and data sources secured within a private network. Click the drop-down to locate the URL for PDC. For more information, refer to Private data source connect (PDC).

Click Manage private data source connect to be taken to your PDC connection page, where you’ll find your PDC configuration details.

Secure SOCKS proxy:

If your Grafana instance has the Secure SOCKS proxy feature enabled, a toggle appears in the data source settings. When enabled, Grafana routes PostgreSQL connections through a SOCKS proxy for secure access to databases in private networks. For more information, refer to Configure a Secure SOCKS5 proxy.

After you have added your PostgreSQL connection settings, click Save & test to test and save the data source connection.

Min time interval

The Min time interval setting defines a lower limit for the $__interval and $__interval_ms variables.

This option can also be configured or overridden in the dashboard panel under the data source settings.

This value must be formatted as a number followed by a valid time identifier:

IdentifierDescription
yyear
Mmonth
wweek
dday
hhour
mminute
ssecond
msmillisecond

Provision the data source

You can define and configure the data source in YAML files with provisioning. For more information about provisioning and available configuration options, refer to Provision Grafana.

Basic provisioning example

The following example provisions a PostgreSQL data source with password authentication and SSL disabled:

YAML 
apiVersion: 1

datasources:
  - name: Postgres
    type: postgres
    url: localhost:5432
    user: grafana
    secureJsonData:
      password: 'Password!'
    jsonData:
      database: grafana
      sslmode: 'disable' # disable/require/verify-ca/verify-full
      maxOpenConns: 100
      maxIdleConns: 100
      maxIdleConnsAuto: true
      connMaxLifetime: 14400
      postgresVersion: 903 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
      timescaledb: false

Provisioning with TLS

The following example provisions a PostgreSQL data source with verify-full TLS mode using file system paths for certificates:

YAML 
apiVersion: 1

datasources:
  - name: Postgres-TLS
    type: postgres
    url: db.example.com:5432
    user: grafana
    secureJsonData:
      password: '<PASSWORD>'
    jsonData:
      database: grafana
      sslmode: 'verify-full'
      tlsConfigurationMethod: 'file-path'
      sslRootCertFile: '/etc/grafana/certs/root.crt'
      sslCertFile: '/etc/grafana/certs/client.crt'
      sslKeyFile: '/etc/grafana/certs/client.key'

Replace <PASSWORD> with your database password and update the certificate paths to match your environment.

Provisioning with TimescaleDB

The following example enables TimescaleDB support:

YAML 
apiVersion: 1

datasources:
  - name: Postgres-TimescaleDB
    type: postgres
    url: timescale.example.com:5432
    user: grafana
    secureJsonData:
      password: '<PASSWORD>'
    jsonData:
      database: metrics
      sslmode: 'require'
      postgresVersion: 1000
      timescaledb: true

Replace <PASSWORD> with your database password.

Provisioning with a Unix socket

The following example connects through a Unix socket instead of TCP:

YAML 
apiVersion: 1

datasources:
  - name: Postgres-Socket
    type: postgres
    url: /var/run/postgresql
    user: grafana
    secureJsonData:
      password: '<PASSWORD>'
    jsonData:
      database: grafana
      sslmode: 'disable'

Replace <PASSWORD> with your database password. When using a Unix socket, set url to the socket directory path. Don’t include a port number.

Provisioning with environment variables

You can use the $__env{} syntax to reference environment variables in provisioning files. This avoids storing credentials in plain text YAML:

YAML 
apiVersion: 1

datasources:
  - name: Postgres
    type: postgres
    url: $__env{PG_HOST}:$__env{PG_PORT}
    user: $__env{PG_USER}
    secureJsonData:
      password: $__env{PG_PASSWORD}
    jsonData:
      database: $__env{PG_DATABASE}
      sslmode: 'require'

Provisioning configuration reference

The following table lists all jsonData and secureJsonData fields supported when provisioning the PostgreSQL data source:

FieldLocationDescription
databasejsonDataThe database name.
sslmodejsonDataTLS/SSL mode: disable, require, verify-ca, or verify-full.
maxOpenConnsjsonDataMaximum open connections. Default: 100.
maxIdleConnsjsonDataMaximum idle connections. Default: 100.
maxIdleConnsAutojsonDataSet max idle to max open automatically. Default: true.
connMaxLifetimejsonDataConnection max lifetime in seconds. Default: 14400.
postgresVersionjsonDataServer version code: 903 (9.3), 904 (9.4), 905 (9.5), 906 (9.6), 1000 (10+).
timescaledbjsonDataEnable TimescaleDB support. Default: false.
tlsConfigurationMethodjsonDataTLS cert method: file-path or file-content.
sslRootCertFilejsonDataPath to root CA certificate (when using file-path method).
sslCertFilejsonDataPath to client certificate (when using file-path method).
sslKeyFilejsonDataPath to client key (when using file-path method).
passwordsecureJsonDataDatabase password.
tlsCACertsecureJsonDataRoot CA certificate content (when using file-content method).
tlsClientCertsecureJsonDataClient certificate content (when using file-content method).
tlsClientKeysecureJsonDataClient key content (when using file-content method).

Troubleshoot provisioning issues

If you encounter metric request errors or other issues when provisioning, refer to Provisioning errors in the PostgreSQL troubleshooting guide.

Configure with Terraform

You can configure the PostgreSQL data source using Terraform with the Grafana Terraform provider.

For more information about provisioning resources with Terraform, refer to Grafana as code using Terraform.

Terraform example

The following example creates a basic PostgreSQL data source:

hcl 
resource "grafana_data_source" "postgres" {
  name = "Postgres"
  type = "postgres"
  url  = "localhost:5432"
  user = "grafana"

  json_data_encoded = jsonencode({
    database         = "grafana"
    sslmode          = "disable"
    maxOpenConns     = 100
    maxIdleConns     = 100
    maxIdleConnsAuto = true
    connMaxLifetime  = 14400
    postgresVersion  = 903
    timescaledb      = false
  })

  secure_json_data_encoded = jsonencode({
    password = "Password!"
  })
}

For all available configuration options, refer to the Grafana provider data source resource documentation.

Next steps

After configuring your PostgreSQL data source, you can: