PostgreSQL table discovery: are your database controls keeping up?

TL;DR: Listing PostgreSQL tables is straightforward through psql, SQL, pgAdmin, or scripts, but StrongDM’s guide shows that the real risk is not the query method itself, it is unmanaged credentials, excessive privileges, and blind spots around who can see database metadata. The control problem is proving access, logging it, and revoking it fast enough for real operational use.

NHIMG editorial — based on content published by StrongDM: How to Show/List Tables in PostgreSQL (psql, SQL & pgAdmin)

Questions worth separating out

Q: How should security teams govern PostgreSQL table discovery in production environments?

A: Security teams should treat PostgreSQL table discovery as a governed access event, not a harmless admin task.

Q: Why do stored database credentials increase risk even for read-only table queries?

A: Stored credentials increase risk because they create durable, reusable access that can be copied into shells, scripts, and pipelines.

Q: What breaks when CI/CD pipelines can list tables with long-lived credentials?

A: When CI/CD pipelines can list tables with long-lived credentials, table discovery stops being a bounded task and becomes recurring standing access.

Practitioner guidance

• Separate metadata access from data access Review which roles can query information_schema and pg_catalog, then narrow visibility to the specific schemas needed for support, debugging, or automation.
• Eliminate durable database secrets from scripts and pipelines Replace stored passwords, .pgpass files, and embedded credentials with identity-based access and short-lived authorisation so that table discovery jobs do not inherit reusable secrets.
• Log every table listing path centrally Capture psql sessions, GUI activity, and programmatic queries in a single audit trail so schema discovery is attributable and searchable across teams.

What's in the full article

StrongDM's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples for listing PostgreSQL tables with psql, SQL, pgAdmin, and Python.
• Troubleshooting guidance for permission errors, schema visibility issues, and client setup problems.
• Practical examples of automating table discovery in CI/CD workflows.
• StrongDM's access-control workflow for enforcing least privilege, logging, and revocation across database sessions.

👉 Read StrongDM's guide to listing PostgreSQL tables securely →

PostgreSQL table discovery: are your database controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →