
Connect Looker On‑Prem to Firebolt with mTLS (PostgreSQL Wire)
This guide covers mutual TLS (mTLS) setup for Looker On‑Prem connecting to Firebolt over the PostgreSQL‑compatible interface.Prerequisites
- Looker On-Prem – With admin access to configure database connections.
- Firebolt account – You need an active Firebolt account. If you do not have one, you can sign up for one.
- Firebolt database and table – You must have access to a Firebolt database that contains a table with data ready for visualization. If you don’t have access, you can create a database and then load data into it.
- Firebolt service account – You must have access to an active Firebolt service account, which facilitates programmatic access to Firebolt, its ID and secret.
- Firebolt user – You must have a user that is associated with your service account. The user should have USAGE permission to query your database, and OPERATE permission to start and stop an engine if it is not already started.
Step 1: Prepare SSL Certificate Files (mTLS)
You need a client certificate and a client private key in PKCS#8 DER format. You will also generate a public key from the private key and attach it to the Firebolt service account.If you need to generate certificates
The script below creates a local CA (Certificate Authority), generates a PKCS#8 private key, a public key for Firebolt, and a signed client certificate.fb.pk8
– private key (PKCS#8 DER)fb.crt
– client certificatefb-public.pem
– public key to attach to your Firebolt service account
If you already have the certificates
Expected files:client-cert.pem
— client certificateclient-key.pk8
— client private key (PKCS#8 DER)
Step 2: Place the certificate files on the Looker host
Upload only the public key to Firebolt. Do not share the private key.Place files on the Looker server and set permissions:
Step 3: Attach the Public Key to the Firebolt Service Account
Attach the generated public key to the Firebolt service account you will use from Looker.Ensure the service account is attached to a user in the Firebolt account and has privileges to access the target database/engine.
Step 4: Create the Looker On‑Prem Connection (mTLS)
In Looker: Admin → Connections → New ConnectionKey | Value |
---|---|
Name | firebolt_connection (or preferred name) |
Dialect | PostgreSQL 9.5+ |
Host | pg.<region_name>.app.firebolt.io |
Port | 5432 |
Database | <account_name>@<database_name>@<engine_name> |
Username | Firebolt service account ID |
Password | Firebolt service account secret |
SSL | Enabled |
Verify SSL | Disabled |
Additional JDBC parameters | sslmode=require&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslcert=/path/to/fb.crt&sslkey=/path/to/fb.pk8 |
Determine the correct Firebolt host (region)
Example:pg.us-east-1.app.firebolt.io
.
Find your region:
Database field format
Final Steps & Troubleshooting
- Click Test; if successful, click Connect.
- If the test fails, verify:
- Absolute paths to
sslcert
andsslkey
exist and are readable by the Looker process. - The private key is PKCS#8 DER (
*.pk8
). - The service account’s public key is attached in Firebolt.
- The host region, account, database, and engine are correct.
- The service account has the necessary permissions and the ID/secret are correct.
Performance and Limits
Firebolt enforces soft rate limits to ensure fair usage:Limit type | Threshold | Scope |
---|---|---|
New connections | 600 per minute | Per IP address |
Queries | 600 per minute | Per organization/account |
Compatibility Notes
Some Looker SQL and LookML features are not fully supported through Firebolt’s PostgreSQL adapter.- Unsupported functions:
diff_days()
,diff_hours()
,contains()
,exp()
. - Partially supported functions:
extract_minutes()
,trunc_months()
(only work with TIMESTAMP/TIMESTAMPTZ, not DATE). - Unsupported metrics: Median, list of unique values.
- Unsupported dimension types: Any
date_...
orduration_...
types. Use custom SQL dimensions in.view.lkml
instead like: