Why can't I create a superuser in AWS Postgresql instance?

Question

I have an AWS EC2 instance connecting to an RDS instance (Postgresql). When I created the RDS instance, I told it the DB root's username was: my_user1 and the password was password1. Now I'm attempting to create a role and a super-user. But it fails:

$ createuser -P -d -s -e my_user2 --host myhost.com -U my_user1
Enter password for new role: XXXYYYZZZ
Enter it again: XXXYYYZZZ
Password: password1
CREATE ROLE my_user2 PASSWORD 'md5999999c0101a1d64afd57575e06f999c' SUPERUSER CREATEDB  CREATEROLE INHERIT LOGIN;
createuser: creation of new role failed: ERROR:  must be superuser to create superusers
$

When I repeat the command without the -s flag, it works:

$ createuser -P -d -e my_user2 --host myhost.com  -U my_user1
Enter password for new role:
Enter it again:
Password:
CREATE ROLE my_user2 PASSWORD 'md5999999c0101a1d64afd57575e06f888c' NOSUPERUSER CREATEDB NOCREATEROLE INHERIT LOGIN;
$

So clearly, my_user1 doesn't have permissions to create a super-user. But this is the user I told RDS was my admin user! If my_user1 doesn't have permissions to create a super-user, who does? And how do I get their username/password from AWS?

does the pg_hba.conf say the authentication scheme is peer for local users ? — drookie, Jan 22 '15 at 20:19
Drookie, is this file on the RDS instance itself? I haven't even SSHed onto that machine yet. — Saqib Ali, Jan 22 '15 at 20:42

score 30 · Answer 1 · answered Jan 22 '15 at 21:38

RDS instances are managed by Amazon. As such, to prevent you from breaking things like replication, your users - even the root user you set up when you create the instance - will not have full superuser privileges.

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html

When you create a DB instance, the master user system account that you create is assigned to the rds_superuser role. The rds_superuser role is a pre-defined Amazon RDS role similar to the PostgreSQL superuser role (customarily named postgres in local instances), but with some restrictions. As with the PostgreSQL superuser role, the rds_superuser role has the most privileges on your DB instance and you should not assign this role to users unless they need the most access to the DB instance.

i can't backup my database without the super user flag using `pg_dump`. Is there a way around this with rds on aws? — chovy, Nov 18 '18 at 05:57

score 3 · Answer 2 · edited Apr 05 '19 at 18:20

3

If you list your current permissions with \du+ or \dg+, you will notice you are not a superuser but only allowed permissions Create role, Create DB. As such you are not allowed to assign yourself permissions higher from the ones you are currently assigned with.

Normally you are not given root or superuser permissions in any hosted environment. I suggest you spin up a custom EC2 instance and install PostgreSQL locally for complete control.

edited Apr 05 '19 at 18:20

Dennis

109
4

answered Jan 18 '17 at 13:49

Gorazd Zagar

51
3

2

is there really no way to backup an amazon rds database with pg_dump otherwise? – chovy Nov 18 '18 at 05:58

Dave Babler · Answer 3 · 2022-07-23T17:51:22.080

0

The closest workaround I've been able to come up with is to do a:

GRANT "masteruser" TO "MyUser";

It isn't great, it isn't a superuser, but it's going to get you the most amount of permissions Amazon will let you have.

edited Jul 23 '22 at 17:51

answered Jul 23 '22 at 17:49

Dave Babler

1
1

Why can't I create a superuser in AWS Postgresql instance?

3 Answers3