Postgresql – RDS Postgres chicken-and-egg problem altering roles

amazon-rdsawspostgresql

I just created an RDS Postgres instance, the user postgres (and it's master password), and connected via psql as user postgres.

Then I ran the script generated from the current system using pg_dumpall --schema-only, and it immediately failed on the ALTER ROLE commands:

ERROR:  must be superuser to alter superusers

Ok, but how do I grant superuser to postgres? All of the documentation I've found "conveniently" skips that part…

EDIT: Here are the exact commands and error message:

postgres=> CREATE ROLE "READONLY";
CREATE ROLE
postgres=> ALTER ROLE "READONLY" WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'mdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
ERROR:  must be superuser to alter superusers

Best Answer

Your RDS master user is not a superuser.

ALTER ROLE changes the attributes of a PostgreSQL role. [...]

Roles having CREATEROLE privilege can change any of these settings except SUPERUSER, REPLICATION, and BYPASSRLS...

Omit incompatible settings from your ALTER ROLE command.

Related Solutions

Postgresql – Why isn’t postgres prompting me about a new user

It seems that there are two distinct questions here.

Why don't the createuser instructions apply?

It's because they apply to PostgreSQL 9.1 or older, and not the newest versions. createuser now has a new flag --interactive. Per documentation:

--interactive Prompt for the user name if none is specified on the command line, and also prompt for whichever of the options -d/-D, -r/-R, -s/-S is not specified on the command line. (This was the default behavior up to PostgreSQL 9.1.)

So by adding this flag you'll get back to the behavior described by the tutorial.
Once the user is created, why does createdb fails with a password authentication problem?

It's because you're not using your newly created user to create the database, although it's what would seem to make sense in this context.

Generally with all PostgreSQL command line tools, when a user is not specified on the command line, the OS user is assumed instead (but it's only useful when there happens to be a database user named after the OS user, otherwise that may unfortunately be a source of confusion).

Anyway, instead of createdb newdb_name, try:

createdb -U newusername newdb_name

Then you should be asked for the password of newusername that you created in the step above.

Technically createdb has to connect to a database (template1 in this case) to be able to create another database, because this is done by a SQL statement and no SQL can be issued when you're not connected to a database in the first place.

Also by doing this newusername will be the database owner of newdb_name, that will give it full over control over it and is probably what your application needs.

Mysql – New users not working on MySQL 5.6 in Amazon RDS

I forgot that I had created a stored procedure to set the time zone after every connection made.

Looking at the server log I found that the problem was that the new users didn't have permission to execute it.

Best Answer

Related Solutions

Postgresql – Why isn’t postgres prompting me about a new user

Mysql – New users not working on MySQL 5.6 in Amazon RDS

Related Question