Database Configuration

Postgres

ZITADEL with Postgres

PostgreSQL is the default database for ZITADEL due to its reliability, robustness, and adherence to SQL standards. It is well-suited for handling the complex data requirements of an identity management system.

If you are using Zitadel v2 and want to use a PostgreSQL database, you can overwrite the default configuration.

Currently, versions 14 to 17 are supported.

Postgres can be configured as follows:

Database:
  postgres:
    Host: localhost
    Port: 5432
    Database: zitadel
    AwaitInitialConn: 5m
    MaxOpenConns: 15
    MaxIdleConns: 10
    MaxConnLifetime: 1h
    MaxConnIdleTime: 5m
    Options:
    User:
      Username: zitadel
      Password: zitadel
      SSL:
        Mode: disable
        RootCert:
        Cert:
        Key:
    Admin:
      Username: postgres
      Password: postgres
      SSL:
        Mode: disable
        RootCert:
        Cert:
        Key:

The admin user is only needed for the installation step but can also be avoided by preparing the necessary requirements:

• the zitadel user
• the zitadel database
• granting required permissions to the zitadel user

CREATE ROLE zitadel LOGIN;
CREATE DATABASE zitadel;
GRANT CONNECT, CREATE ON DATABASE zitadel TO zitadel;

Don't forget to adjust pg_hba.conf and set a password for the zitadel user.

With the setup done, follow the phases guide to run the init and then setup phase to get all necessary tables and data set up.

Cockroach (Zitadel v2)

Zitadel v2 with Cockroach

warning

Zitadel v3 removed CockroachDB support. See the CLI mirror guide for migrating to PostgreSQL.

The default database of Zitadel v2 is CockroachDB. The SQL database provides a bunch of features like horizontal scalability, data regionality and many more.

Currently versions >= 25.1 are supported.

The default configuration of the database looks like this:

Database:
  cockroach:
    Host: localhost
    Port: 26257
    Database: zitadel
    MaxOpenConns: 20
    MaxConnLifetime: 30m
    MaxConnIdleTime: 30m
    Options: ""
    User:
      Username: zitadel
      Password: ""
      SSL:
        Mode: disable
        RootCert: ""
        Cert: ""
        Key: ""
    Admin:
      Username: root
      Password: ""
      SSL:
        Mode: disable
        RootCert: ""
        Cert: ""
        Key: ""

Zitadel Credentials

The init phase of ZITADEL creates the ZITADEL database user (Database.*.User.Username & Database.*.User.Password) if it does not exist and admin credentials are provided. Init does not update or deprecate existing users or passwords. If you need to change the ZITADEL database user or rotate its password, you must do this manually.

caution

The init command is designed to be run only once, during the initial setup of ZITADEL. Running init again after changing the database user or credentials does not migrate database object ownerships, nor does it reassign permissions on schemas, tables, or other objects to a new user. You must update these permissions manually if you switch users.

Rotating Database Credentials

If you must rotate the credentials:

• You can change the password for the existing ZITADEL user, but you must manually update the password wherever ZITADEL needs it.
• Creating a new database user requires manual reassignment of ownership and privileges for all required database objects (schemas, tables, etc.) to the new user.
• After migration, remove or deprecate the old user using admin access and commands appropriate for your database provider.

Attempting to run init a second time with new credentials will fail if the user already exists, and will not change existing permissions or migrate data.

caution

Dropping and recreating the database does not automatically remove existing users. Always verify and clean up old users if necessary.