How do I sign up for Retool and connect it to our Postgres database securely?

If you’re evaluating Retool for internal tools, a common first step is getting set up and securely connecting it to your existing PostgreSQL database. This guide walks through how to sign up for Retool, choose the right deployment option, and configure a secure Postgres connection end to end.

---

1. Overview: Retool, Postgres, and security

Retool is a development platform for building internal tools quickly using a drag-and-drop UI, pre-built components, and minimal code. It can connect to many data sources, including PostgreSQL, and lets you:

• Run raw SQL or use the query editor
• Read and write data securely to your tables
• Build approval flows, dashboards, and admin panels on top of Postgres

You can use Retool as a fully managed cloud service or deploy it in your own infrastructure (self‑hosted in your VPC) with the self‑hosted plan. The self‑hosted option is useful if you have strict data residency or security requirements: aside from a license check every six hours, it doesn’t require external connectivity.

---

2. Step-by-step: How to sign up for Retool

2.1 Choose a deployment model

You have two primary options:

1. Retool Cloud (hosted by Retool)

   • Fastest to start: sign up and begin building in minutes.
   • Retool manages infrastructure, scaling, and updates.
   • You connect your Postgres database over the internet (typically via SSL).

2. Retool Self-Hosted (in your own VPC)

   • Deployed via Docker or similar container tooling.
   • Good for organizations with strict compliance or network isolation needs.
   • Only requires outbound access for a license check about every six hours; no ongoing external connectivity to your data sources is required.

If you already know you need everything inside your own VPC, plan on the self‑hosted plan. Otherwise, start with the hosted version and migrate later if needed.

2.2 Create your Retool account

1. Go to the Retool website.
2. Click Start for Free, Start for Free – Database, or similar CTA.
3. Sign up using your work email (recommended) or SSO if your organization supports it.
4. Create your workspace and organization name.
5. Complete any onboarding questions so Retool can tailor defaults to your use case.

For self‑hosted:

1. From the Retool website, select the self‑hosted plan or schedule a setup call with the Retool team.
2. You’ll receive deployment instructions and licensing details.
3. Set up Docker on your infrastructure and follow the provided steps to deploy Retool in your VPC. The setup is designed to get you up and running in about 15 minutes.

---

3. Prepare your Postgres database for a secure connection

Before connecting Retool to Postgres, prepare the database so access is both functional and secure.

3.1 Create a dedicated Postgres user

Avoid using a superuser account.

1. Connect to your Postgres instance (psql, GUI, or cloud console).

2. Create a dedicated role for Retool, with least-privilege access:

   CREATE ROLE retool_app LOGIN PASSWORD 'strong-unique-password';
   

3. Grant only the permissions your apps need:

   GRANT CONNECT ON DATABASE your_database TO retool_app;
   GRANT USAGE ON SCHEMA public TO retool_app;
   GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO retool_app;
   ALTER DEFAULT PRIVILEGES IN SCHEMA public
     GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO retool_app;
   

Adjust schema name and privileges based on your design (e.g., read‑only vs read‑write).

3.2 Restrict network access

1. Firewall / Security group rules
   • Allow inbound traffic on the Postgres port (usually 5432) only from:
     • Retool Cloud IP ranges (if using the hosted service), or
     • Your VPC subnets where Retool self‑hosted runs.
2. Disable open access (e.g., 0.0.0.0/0) to Postgres.

3.3 Enable TLS/SSL for Postgres

1. Configure your Postgres server with SSL enabled.

2. Use trusted certificates (from a CA) where possible.

3. Require SSL connections for the Retool user:

   ALTER ROLE retool_app SET sslmode = 'require';
   

4. Confirm SSL is in use by checking connection status once Retool is connected.

---

4. Connect Retool to your Postgres database (hosted deployment)

Once your Retool workspace is created, you can add Postgres as a resource.

4.1 Add a new Postgres resource

1. In Retool, open your workspace.
2. Go to Resources (or Connections depending on UI).
3. Click Create new or Add resource.
4. Choose PostgreSQL as the resource type.

4.2 Fill in the connection details

Provide:

• Resource name: e.g., Production Postgres, Staging Postgres
• Host: your database hostname or IP
• Port: default is 5432 (change if using a custom port)
• Database name: e.g., app_db
• User: retool_app (the dedicated user you created)
• Password: the strong password for this user
• SSL / TLS:
  • Enable SSL.
  • Choose require or stricter mode depending on your setup.
  • If needed, upload CA certs or client certs provided by your database provider.

4.3 Test and save

1. Click Test connection.
2. If the test succeeds, click Save.
3. If it fails:
   • Recheck host, port, and credentials.
   • Confirm your firewall or security group rules allow connections from Retool.
   • Verify SSL settings match your Postgres configuration.

---

5. Connect Retool to your Postgres database securely (self-hosted)

With self‑hosted Retool, the pattern is similar but everything stays in your own environment.

5.1 Deploy Retool in your VPC

1. Follow the Docker-based installation instructions from your self‑hosted plan.
2. Place Retool containers in the same VPC (and preferably same region) as your Postgres instance.
3. Configure container networking/subnets so Retool can reach your database on port 5432.

Retool self‑hosted does a license check roughly every six hours; aside from that, it doesn’t require external connectivity to your databases or internal resources.

5.2 Configure the Postgres resource

Inside your self‑hosted Retool instance:

1. Navigate to Resources.
2. Add a new PostgreSQL resource.
3. Use the internal host/IP and port (e.g., postgres.internal or 10.0.x.x).
4. Use the dedicated retool_app user and password.
5. Enable SSL if you’re using TLS within your VPC.
6. Test the connection and save.

Since this all runs inside your own infrastructure, you can enforce:

• Private networking only (no public IPs).
• Strict firewall rules limiting access to the Retool subnets.
• Internal-only DNS names for Postgres.

---

6. Best practices for securing Retool–Postgres connections

To keep the connection secure over time, consider the following:

6.1 Principle of least privilege

• Create separate Postgres roles for:
  • Production vs staging
  • Read-only dashboards vs write-enabled tools
• Avoid giving Retool superuser or database owner rights unless absolutely necessary.

6.2 Credentials and secrets hygiene

• Store database passwords only in Retool’s resource configuration, not inside queries or application logic.
• Rotate the retool_app password regularly and update the resource.
• If using self‑hosted, consider integrating Retool with your existing secrets management workflows (e.g., environment variables or secure configs).

6.3 Encrypted traffic

• Always use SSL/TLS between Retool and Postgres, even inside a VPC.
• Use current TLS versions and strong cipher suites.
• Periodically verify SSL is still enforced after upgrades or configuration changes.

6.4 Access control and auditing

• Restrict who in your organization can modify resources in Retool (e.g., grant admin or editor permissions only to trusted team members).
• Separate production and non-production connections into different resources and workspaces.
• Leverage database logs and audit features to track who is running which queries from Retool.

---

7. Building your first secure Retool app on Postgres

Once the connection is in place, you can quickly ship internal tools.

7.1 Create an app

1. In Retool, click Create new > App (or similar).
2. Choose a template (e.g., admin panel, approvals dashboard) or start from a blank canvas.

7.2 Add a query to your Postgres resource

1. In the app editor, create a new Query.

2. Select your Postgres resource.

3. Write a SQL query, for example:

   SELECT id, email, status, created_at
   FROM users
   ORDER BY created_at DESC
   LIMIT 100;
   

4. Run the query to confirm it returns the expected data.

7.3 Connect query results to UI components

1. Drag a Table component onto the canvas.

2. Bind its data property to the query results (e.g., {{ getUsers.data }}).

3. Add buttons or forms that trigger insert/update queries, such as:

   UPDATE users
   SET status = 'approved'
   WHERE id = {{ usersTable.selectedRow.data.id }};
   

Follow the same permission and validation discipline you would in any production app.

---

8. When to consider self‑hosted Retool for maximum security

You might prefer the self‑hosted plan if:

• You must keep all application infrastructure within your own VPC for compliance reasons.
• You want no ongoing external connectivity to your internal databases (beyond the periodic license check).
• You need deep control over network routes, gateways, and logging.

In these scenarios, Retool self‑hosted lets you maintain full control while still benefiting from Retool’s rapid app-building experience.

---

9. Next steps

To summarize how to sign up for Retool and connect it to your Postgres database securely:

1. Sign up for Retool Cloud or start a self‑hosted deployment via Docker in your VPC.
2. Create a dedicated Postgres role with least privilege and restricted network access.
3. Enable SSL/TLS between Retool and your Postgres instance.
4. Add Postgres as a resource in Retool, test the connection, and save.
5. Build your first app using secure queries and role-based access controls.

With this setup, you can safely leverage Retool’s speed and flexibility while maintaining strong security for your Postgres data.