Permission denied to SET SESSION AUTHORIZATION on Amazon Postgres RDS - postgresql

For my application, I sometimes need to set session authorization to execute certain commands under a given user's permissions.
We're using an RDS behind the application, and our DB superuser on RDS keeps getting permission denied to set session authorization.
Is there a way to enable this on an RDS? Or is it just not a supported operation?
Thanks in advance!

alas, limitations of rds_superuser are not documented
The rds_superuser role is a pre-defined Amazon RDS role similar to the
PostgreSQL superuser role (customarily named postgres in local
instances), but with some restrictions. As with the PostgreSQL
superuser role, the rds_superuser role has the most privileges on your
DB instance
So if you get permission denied with rds_superuser, you probably just can't do it... (as some more better known limitations, like ownership override, fs related functions, limited extensions list and so on)

Related

How to enable Google Cloud PostgreSQL log_statements to one database role only?

I'd like to have query logging on for one specific role only. But it doesn't seem to be possible to turn it on with the powers of cloudsqlsuperuser role that the default postgres user has:
postgres=> ALTER ROLE my_log_role SET log_statement = 'all';
ERROR: permission denied to set parameter "log_statement"
Turning log_statement on for the entire instance is doable through Cloud SQL tools, but can this be done for select role(s) instead of all of them in a managed PostgreSQL?
Only superusers can change this setting. (https://www.postgresql.org/docs/9.5/runtime-config-logging.html#GUC-LOG-STATEMENT)
check if cloudsqlsuperuser is a superusers running "show is_superuser;"
Superuser restrictions
https://cloud.google.com/sql/docs/postgres/users#superuser_restrictions
As Cloud SQL for PostgreSQL is a managed service, the "superuser" access is not provided, which is required to run the below command:
postgres=> ALTER ROLE my_log_role SET log_statement = 'all';
However,
Although you can't create database users with superuser privileges, you can create database users with the cloudsqlsuperuser role which has some of those privileges
If this is a blocker, you may consider hosting PostgreSQL on a Google Compute Engine (GCE) instance, where you will have full control.

Enabling pg_cron extension on postgres database without rds_superuser

I'm trying to follow this article to enable the pg_cron extension on my postgres RDS instance on AWS:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html
it says to run on the rds_superuser
CREATE EXTENSION pg_cron;
However, I'm logged in under a different user, I don't currently have access to the rds_superuser account. The message I get is:
SQL Error [42501]: ERROR: permission denied to create extension "pg_cron"
Hint: Must be superuser to create this extension.
Can anyone please tell me a work-around for this without having to contact a DBA? Can I grant superuser or create a new user with superuser to get around this?
it looks like the current user I have access to only shows on the pg_tables access to:
rolinherit - X
rolcanlogin - X
Ok I found out that if you go to your RDS database instance on AWS, you can "Modify" the RDS instance, and change the master password for the sysadmin user. I was then able sign in with this user and do what I needed to do.

How can I add pg_monitor role to a postgresql user on heroku

I'm trying to set up a Datadog PostgreSQL integration that requires a user with pg_monitor role and SELECT permission on pg_stat_database as described on their own documentation.
My database is currently hosted on Heroku and it seems the default user doesn't have SUPERUSERpermissions because, when I try to apply the above role and permission to a "monitor" user I have the following error message:
ERROR: must have admin option on role "pg_monitor"
So I'm looking for some way of:
grant the necessary permissions to that user without being a superuser
get superuser access on Heroku Postgres (what I think is not possible)
Someone has ever faced this issue? There is a way to handle this case?
I had to open a ticket asking the Heroku CS team to apply the "pg_monitor" role to my user. They've granted the role and now everything is working fine

Setting session_replication_role for GCP Cloud SQL

I am trying to run SET session_replication_role = 'replica'; in a GCP Cloud SQL Postgres 9.6 instance, however I'm encountering this error ERROR: permission denied to set parameter "session_replication_role" even if the postgres user is a cloudsql admin user. Do I have to spin up my own self managed instance to solve the problem or is there a way around it?
Unfortunately, it is not connected with the service is in Beta or not, you can't set session_replication_role in GCP Cloud SQL.
You need to have superuser privileges to do that operation, but GCP Cloud only allows to cloudsqlsuperuser privileges. It's features as follows:
When you create a new Cloud SQL for PostgreSQL instance, the default postgres user is already created for you, though you must set its password.
The postgres user is part of the cloudsqlsuperuser role, and has the following attributes (privileges): CREATEROLE, CREATEDB, and LOGIN. It does not have the SUPERUSER or REPLICATION attributes.
You can find much more information in this blog post.
From what I was looking at, since the service is currently in Beta, there are still some features that are not available, such as that. Therefore we would need to wait a bit more for Google to realease the final version of their product.
We also encountered same issue . This is because postgres user does not have Replication permission.
To resolve this issue:
a) Login with postgres user
b) Since postgres user has Create role permission. Now create a new user with below command:
CREATE USER <YOUR_USER> WITH PASSWORD '<YOUR_PASSWORD>' CREATEDB CREATEROLE REPLICATION IN GROUP cloudsqlsuperuser;
replace <YOUR_USER> with your user name and <YOUR_PASSWORD> with password.
c) Login with newly created user and run
SET session_replication_role = 'replica';
if you see response SET then you are good to go

Enabling geodatabase in AWS RDS PostgreSQL instance

Superuser permission is required to create a geodatabase in PostgreSQL.
However, in AWS RDS instance we are receiving:
rds_superuser permission and rds_superuser is not superuser.
Is there a way to enable geodatabase in AWS RDS PostgreSQL with rds_superuser permission?
You need to create the database and the sde login manually using e.g. pgAdmin, and grant the rds_superuser group role to the sde login. Also create a schema named sde in your database, and make the sde login the owner of that schema.
Then you can create a .sde database connection in ArcCatalog using the sde login and, importantly, the *.rds.amazonaws.com hostname. Finally you can run the Enable Enterprise Geodatabase using this connection as your input.
This only works if you connect to the database using the *.rds.amazonaws.com hostname. Apparently, ESRI uses the hostname to determine if the database in question is an RDS server.
Once you've enabled the geodatabase you can connect to it with .sde connections using other dns aliases as well.
Refer to the ESRI documentation for further details: http://server.arcgis.com/en/server/latest/cloud/amazon/create-geodatabase-in-amazon-rds-for-postgresql.htm