Ran this while trying to manage some permissions with Cloud SQL IAM users:
GRANT "****#*****.iam" to postgres;
Now it appears that my postgres account is an IAM user in the DB. And I can't change it back because I can't log in with my original postgres user password. This was also my only superuser account, so I can't get the proper access to change anything back. GCP dashboard also does not let me modify the password because now it's a "System User". Very strange... how do I resolve this?
Tried logging in with the IAM role that I granted to postgres, that does not work... Not sure what to do beyond file a support ticket with GCP
Related
I'm trying to follow this article to enable the pg_cron extension on my postgres RDS instance on AWS:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html
it says to run on the rds_superuser
CREATE EXTENSION pg_cron;
However, I'm logged in under a different user, I don't currently have access to the rds_superuser account. The message I get is:
SQL Error [42501]: ERROR: permission denied to create extension "pg_cron"
Hint: Must be superuser to create this extension.
Can anyone please tell me a work-around for this without having to contact a DBA? Can I grant superuser or create a new user with superuser to get around this?
it looks like the current user I have access to only shows on the pg_tables access to:
rolinherit - X
rolcanlogin - X
Ok I found out that if you go to your RDS database instance on AWS, you can "Modify" the RDS instance, and change the master password for the sysadmin user. I was then able sign in with this user and do what I needed to do.
I'm trying to set up a Datadog PostgreSQL integration that requires a user with pg_monitor role and SELECT permission on pg_stat_database as described on their own documentation.
My database is currently hosted on Heroku and it seems the default user doesn't have SUPERUSERpermissions because, when I try to apply the above role and permission to a "monitor" user I have the following error message:
ERROR: must have admin option on role "pg_monitor"
So I'm looking for some way of:
grant the necessary permissions to that user without being a superuser
get superuser access on Heroku Postgres (what I think is not possible)
Someone has ever faced this issue? There is a way to handle this case?
I had to open a ticket asking the Heroku CS team to apply the "pg_monitor" role to my user. They've granted the role and now everything is working fine
So, I've been looking around for more details, but can't find it.
I have a AWS RDS Postgresql cluster. In the typical sense, when I want to add a login to my database, I use the
create user xxxx with password 'yyy'
then I grant that user access to the tables and other rights.
Now, I tried to add another user with secrets manager linked to this RDS database.
I'm not sure what to do next....should that new user I only created in secrets, appear in the login for the database, because I don't see it? How would we grant access to the tables and other things for that user?
I am trying to run SET session_replication_role = 'replica'; in a GCP Cloud SQL Postgres 9.6 instance, however I'm encountering this error ERROR: permission denied to set parameter "session_replication_role" even if the postgres user is a cloudsql admin user. Do I have to spin up my own self managed instance to solve the problem or is there a way around it?
Unfortunately, it is not connected with the service is in Beta or not, you can't set session_replication_role in GCP Cloud SQL.
You need to have superuser privileges to do that operation, but GCP Cloud only allows to cloudsqlsuperuser privileges. It's features as follows:
When you create a new Cloud SQL for PostgreSQL instance, the default postgres user is already created for you, though you must set its password.
The postgres user is part of the cloudsqlsuperuser role, and has the following attributes (privileges): CREATEROLE, CREATEDB, and LOGIN. It does not have the SUPERUSER or REPLICATION attributes.
You can find much more information in this blog post.
From what I was looking at, since the service is currently in Beta, there are still some features that are not available, such as that. Therefore we would need to wait a bit more for Google to realease the final version of their product.
We also encountered same issue . This is because postgres user does not have Replication permission.
To resolve this issue:
a) Login with postgres user
b) Since postgres user has Create role permission. Now create a new user with below command:
CREATE USER <YOUR_USER> WITH PASSWORD '<YOUR_PASSWORD>' CREATEDB CREATEROLE REPLICATION IN GROUP cloudsqlsuperuser;
replace <YOUR_USER> with your user name and <YOUR_PASSWORD> with password.
c) Login with newly created user and run
SET session_replication_role = 'replica';
if you see response SET then you are good to go
For my application, I sometimes need to set session authorization to execute certain commands under a given user's permissions.
We're using an RDS behind the application, and our DB superuser on RDS keeps getting permission denied to set session authorization.
Is there a way to enable this on an RDS? Or is it just not a supported operation?
Thanks in advance!
alas, limitations of rds_superuser are not documented
The rds_superuser role is a pre-defined Amazon RDS role similar to the
PostgreSQL superuser role (customarily named postgres in local
instances), but with some restrictions. As with the PostgreSQL
superuser role, the rds_superuser role has the most privileges on your
DB instance
So if you get permission denied with rds_superuser, you probably just can't do it... (as some more better known limitations, like ownership override, fs related functions, limited extensions list and so on)