(Debian 8)
My .pgpass file is at my home folder (admin)
I and using the right format as indicated in the documentation
hostname:port:database:username:password
The same fields I put there work well when put explicitly into the psql command line. (of course I have to enter the password manually).
However, running psql by itself gives our an error:
psql: FATAL: role "admin" does not exist
Note that my sql username is NOT admin, which is my debian username.
What am I doing wrong? my goal is to get access to psql without having to use an elaborate command line including host/port/username/database
.pgpass is not a way to choose which settings you want to use, it's a way to store passwords for a number of settings you've already chosen to use. It can contain multiple lines. The relevant line is then chosen as follows, according to the documentation:
The password field from the first line that matches the current connection parameters will be used.
You still have to provide your connection parameters (besides the password).
If you always want to use the same connection parameters, you should probably use the environment variables (PGHOST, PGDATABASE, PGUSER, ...), and possibly place them in your .bashrc file (depending on the shell you use).
You can then choose to store the password itself in the PGPASSWORD environment variable or in the .pgpass file. The latter might give you a bit more flexibility.
Related
I stumbled upon PostgreSQL installations, where there is a PostgreSQL user with the same name as an operating system (Linux) user. If you are logged into the operating system as such a user, you can usually login to psql without specifying a username and password as this user.
How does this work? Is this a pure convention, or is there a special mechanism in PostgreSQL for this kind of behavior?
There are cases, where no corresponding PostgreSQL user is present for an operating system user. In this case, how do I create one, that can be logged into without having to specify username and password once I am logged into the operating system as this user?
There are several mechanisms. I don't know what makes a mechanism a special one, though.
The client always sends a username to the server. If you don't specify one to use then libpq-based clients look up the operating system name and use that. Some non-libpq-based clients might adopt the same convention.
For not requiring a password, maybe local connections are set to 'trust' in pg_hba.conf, in which case anyone else on the same machine can also log in to PostgreSQL as you, just by specifying your username to use, such as with -U martinw. Or maybe a password is required, but it is provided automatically via .pgpass file or via PGPASSWORD env variable, but if you set that up presumably you would remember doing so. Or maybe you have local connections set to peer in pg_hba, in which case the db server asks the OS "who is on the other end of this socket?" and verifies the answer matches the requested username (this is a common default setup, for example on Ubuntu Linux) or if a pg_ident map is in use, then it verifies the response system username is allowed to log in as the specified db username.
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-PASSFILE
create a pgpass file: vim ~/.pgpass
fill your credentials: hostname:port:database:username:password
exit file. and change ~/.pgpassfile access permission:
https://www.postgresql.org/docs/current/libpq-pgpass.html
chmod 0600 ~/.pgpass
If your linux user is the same as one of the pgpassfile user, then just type psql to connect to database.
Having .ssh/config with an entry like this:
Host foo
HostName 226.212.131.212
User root
allows you to connect to a server using ssh foo.
Postgres' default client psql has the .pgpass file that allows to store a password. However, the client still needs to be instructed with parameters for host, username and dbname.
What I'm looking for is an equivalent to the ssh config - a way to access a postgres server using a named config. psql foo. Does it exist?
The one that is closest to that, is the connection service file
From the manual:
The file uses an “INI file” format where the section name is the service name and the parameters are connection parameters;
[foo]
host=somehost
port=5432
user=arthur
Once the service is defined, you can connect using e.g.:
psql "service=foo"
To build on top of the previous answer,
For making it work make sure that your config file is saved to the correct location.
From the manual , the corrects paths are :
/etc/pg_service.conf
~/.pg_service.conf
Now if your file is saved to that location, you can now edit it make sure you have all the required settings.
[a_service]
host=host/orIP
port=5432
dbname=xyz
user=paul
password=cde
You can add as many as you like, the same way we do with ssh_config
To use it, you can use it with the following code:
You can do use it with two-step:
export PGSERVICE=a_service
and then run psql
Or in one command with :
psql "service=a_service"
We are loading loading data from S3 to Redshift, but proving redshift username and password on the command line.
Can we do this too role based because this leads to hard coding user name password in code which is a security vulnerability.
psql -h $redshift_jdbc_url -U $redshift_db_username -d $redshift_dbname -p $port_number -c "copy $destinationTable$columnList from '$s3fileName' credentials 'aws_iam_role=arn:aws:iam::$account_number:role/$s3role;master_symmetric_key=$master_key' region '$s3region' format as json '$jsonPathFile' timeformat 'auto' GZIP TRUNCATECOLUMNS maxerror $maxError";
Though this question has nothing to do specifically with Redshift, there could be multiple options to avoid username/password, by mistake checked in to code repository like (cvs,git etc) or getting shared.
Not sure if we do(as stated below) is best practice or not, here is how we do and I think, its safe.
We use the environment variable in our case, and those environment variables are outside of source code repository and the shell script code reads usually there at particular instance environment only.
For e.g. if you have shell script that execute the above command, will load the environment file variable like below. example psql.sh
#!/bin/bash
echo "Loading environment variable"
. "$HOME/.env"
Your other commands
The env file could have variables like below,
#!/bin/bash
export REDSHIFT_USER="xxxxxxxxx"
export REDSHIFT_PASSWORD="xxxxxx"
There are other options too, but not sure if they work well with Redshift.
.pgpass file to store the password. refer below link.
http://www.postgresql.org/docs/current/static/libpq-pgpass.html
"trust authentication" for that specific user, refer below link.
http://www.postgresql.org/docs/current/static/auth-methods.html#AUTH-TRUST
Hope that answers your question.
Approach 1:
Generate temporary username / password which has a TTL as part of your script. Use that temporary username / password to connect to DB.
Reference From AWS documentation
https://docs.aws.amazon.com/cli/latest/reference/redshift/get-cluster-credentials.html
Approach 2:
Use AWS Secerets Manager Service
Can someone point me to a piece of documentation that specifies the matching rules psql applies to the .pgpass file? I always spend a few extra keystrokes trying to find the right combination of host, port, database, username to get it to connect.
Some things are obvious (i.e. if my linux username is not the same as my postgres username than I need to specify it) but based on what I've seen there is some non-obvious behavior.
Here is the documentation you are probably looking for. It explains the rules pretty well.
Just so this isn't a link-only answer, here are the rules:
Each .pgpass entry is on its own line and has the following format:
hostname:port:database:username:password
You can use a wildcard (*) for each field except password
If you use wildcards, put more specific entries first
You can use for instance localhost:*:*:foo:password to specify password for user foo on your local machine regardless of the database you are connecting to or the port the Postgres is actually running on.
I am working on an open source application that has PostgreSQL as its default DBMS. Now when I install it on my system, its configuration is so that PostgreSQL also gets installed with it.
My problem is with getting access to the installed PostgreSQL database. The database that gets created during installation is named iviewdb.
I read at many forums that the default superuser is postgres, but when I try to get access to the database using this username through a command prompt, it prompts me for password that I don't have.
I wanted to know from where in the PostgreSQL installation directory
the default username and password with the port number to access the database is stored. I have even tried changing the pg_hba.conf file, but that creates a problem with the application and it won't start then.
How can I find the password for this database? I am working in a Windows environment.
The password isn't stored in an easily recoverable manner, and if you change the password, the application may not be able to access the database properly. You may find the password in the application settings or documentation, though.
If you decide to risk changing the postgres user's password, stop the application and PostgreSQL service, and then edit pg_hba.conf. Add (or change if it already exists) a line (if it doesn't exist, add it before any other "host...." lines):
host all all 127.0.0.1/32 trust
And restart the PostgreSQL service. That should give you access from localhost, where you could change the postgres user's password, or add yourself another user with the permissions you want. Then set the pg_hba.conf file back the way it was and restart.
I've encountered this similar problem, and I noticed that the default being set for PostgreSQL upon installation in my case is as follows:
username = postgres
password = ' '