I'm trying to follow this article to enable the pg_cron extension on my postgres RDS instance on AWS:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html
it says to run on the rds_superuser
CREATE EXTENSION pg_cron;
However, I'm logged in under a different user, I don't currently have access to the rds_superuser account. The message I get is:
SQL Error [42501]: ERROR: permission denied to create extension "pg_cron"
Hint: Must be superuser to create this extension.
Can anyone please tell me a work-around for this without having to contact a DBA? Can I grant superuser or create a new user with superuser to get around this?
it looks like the current user I have access to only shows on the pg_tables access to:
rolinherit - X
rolcanlogin - X
Ok I found out that if you go to your RDS database instance on AWS, you can "Modify" the RDS instance, and change the master password for the sysadmin user. I was then able sign in with this user and do what I needed to do.
Related
I'm trying to set up a Datadog PostgreSQL integration that requires a user with pg_monitor role and SELECT permission on pg_stat_database as described on their own documentation.
My database is currently hosted on Heroku and it seems the default user doesn't have SUPERUSERpermissions because, when I try to apply the above role and permission to a "monitor" user I have the following error message:
ERROR: must have admin option on role "pg_monitor"
So I'm looking for some way of:
grant the necessary permissions to that user without being a superuser
get superuser access on Heroku Postgres (what I think is not possible)
Someone has ever faced this issue? There is a way to handle this case?
I had to open a ticket asking the Heroku CS team to apply the "pg_monitor" role to my user. They've granted the role and now everything is working fine
I've got a Postgres database and user I've created on Google Cloud SQL.
I'm trying to install the postgis extension for that user:
myuser=> CREATE EXTENSION postgis;
ERROR: permission denied to create extension "postgis"
HINT: Must be superuser to create this extension.
as you can see, it won't allow me to create the extension for this user, so I attempted to make this user a superuser from the postgres role:
postgres=> ALTER USER myuser WITH SUPERUSER;
ERROR: must be superuser to alter superusers
and I get the following error. This is because Google Cloud SQL does not allow the SUPERUSER role for any postgres accounts according to: https://cloud.google.com/sql/docs/postgres/users.
So I'm in this weird state of purgatory that I need to add this extension, but can't.
Any tips on how to proceed?
It looks like creating a new user through the API (or the console) will give it the proper permissions, at least according to the prompt when trying to add additional users through the console:
I am trying to run SET session_replication_role = 'replica'; in a GCP Cloud SQL Postgres 9.6 instance, however I'm encountering this error ERROR: permission denied to set parameter "session_replication_role" even if the postgres user is a cloudsql admin user. Do I have to spin up my own self managed instance to solve the problem or is there a way around it?
Unfortunately, it is not connected with the service is in Beta or not, you can't set session_replication_role in GCP Cloud SQL.
You need to have superuser privileges to do that operation, but GCP Cloud only allows to cloudsqlsuperuser privileges. It's features as follows:
When you create a new Cloud SQL for PostgreSQL instance, the default postgres user is already created for you, though you must set its password.
The postgres user is part of the cloudsqlsuperuser role, and has the following attributes (privileges): CREATEROLE, CREATEDB, and LOGIN. It does not have the SUPERUSER or REPLICATION attributes.
You can find much more information in this blog post.
From what I was looking at, since the service is currently in Beta, there are still some features that are not available, such as that. Therefore we would need to wait a bit more for Google to realease the final version of their product.
We also encountered same issue . This is because postgres user does not have Replication permission.
To resolve this issue:
a) Login with postgres user
b) Since postgres user has Create role permission. Now create a new user with below command:
CREATE USER <YOUR_USER> WITH PASSWORD '<YOUR_PASSWORD>' CREATEDB CREATEROLE REPLICATION IN GROUP cloudsqlsuperuser;
replace <YOUR_USER> with your user name and <YOUR_PASSWORD> with password.
c) Login with newly created user and run
SET session_replication_role = 'replica';
if you see response SET then you are good to go
I went through the question/answers cannot create extension without superuser role and other related, which tells that I cannot avoid that issue without being a superuser.
But I am working with an AWS server now, in which I am able to install extension tablefunc without being a superuser, but I cannot do the same on a new postgres server. I am attaching a screenshot here of the roles present in the AWS database, here you will see, role pgadmin is not a superuser (and also none of the role group it's attached to are superuser, though it doesn't matter anyhow), but I can create the extension with it.
I understand the other workarounds, but just need a clarification for this. How is it working in AWS and why can't I replicate the same on a new Postgres server.
If you have access to and can update the extension control file, do this:
echo 'superuser = false' >> /usr/share/postgresql/14/extension/pg_cron.control
That example is for pg_cron but the same approach should work for any extension.
For my application, I sometimes need to set session authorization to execute certain commands under a given user's permissions.
We're using an RDS behind the application, and our DB superuser on RDS keeps getting permission denied to set session authorization.
Is there a way to enable this on an RDS? Or is it just not a supported operation?
Thanks in advance!
alas, limitations of rds_superuser are not documented
The rds_superuser role is a pre-defined Amazon RDS role similar to the
PostgreSQL superuser role (customarily named postgres in local
instances), but with some restrictions. As with the PostgreSQL
superuser role, the rds_superuser role has the most privileges on your
DB instance
So if you get permission denied with rds_superuser, you probably just can't do it... (as some more better known limitations, like ownership override, fs related functions, limited extensions list and so on)