Why can't I create a superuser in AWS Postgresql instance?

amazon-web-services postgresql amazon-rds

57,704

Solution 1

RDS instances are managed by Amazon. As such, to prevent you from breaking things like replication, your users - even the root user you set up when you create the instance - will not have full superuser privileges.

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html

When you create a DB instance, the master user system account that you create is assigned to the rds_superuser role. The rds_superuser role is a pre-defined Amazon RDS role similar to the PostgreSQL superuser role (customarily named postgres in local instances), but with some restrictions. As with the PostgreSQL superuser role, the rds_superuser role has the most privileges on your DB instance and you should not assign this role to users unless they need the most access to the DB instance.

Solution 2

If you list your current permissions with \du+ or \dg+, you will notice you are not a superuser but only allowed permissions Create role, Create DB. As such you are not allowed to assign yourself permissions higher from the ones you are currently assigned with.

Normally you are not given root or superuser permissions in any hosted environment. I suggest you spin up a custom EC2 instance and install PostgreSQL locally for complete control.

57,704

Saqib Ali

Updated on September 18, 2022

Comments

Saqib Ali over 1 year
I have an AWS EC2 instance connecting to an RDS instance (Postgresql). When I created the RDS instance, I told it the DB root's username was: my_user1 and the password was password1. Now I'm attempting to create a role and a super-user. But it fails:
```
$ createuser -P -d -s -e my_user2 --host myhost.com -U my_user1
Enter password for new role: XXXYYYZZZ
Enter it again: XXXYYYZZZ
Password: password1
CREATE ROLE my_user2 PASSWORD 'md5999999c0101a1d64afd57575e06f999c' SUPERUSER CREATEDB  CREATEROLE INHERIT LOGIN;
createuser: creation of new role failed: ERROR:  must be superuser to create superusers
$
```
When I repeat the command without the -s flag, it works:
```
$ createuser -P -d -e my_user2 --host myhost.com  -U my_user1
Enter password for new role:
Enter it again:
Password:
CREATE ROLE my_user2 PASSWORD 'md5999999c0101a1d64afd57575e06f888c' NOSUPERUSER CREATEDB NOCREATEROLE INHERIT LOGIN;
$
```
So clearly, my_user1 doesn't have permissions to create a super-user. But this is the user I told RDS was my admin user! If my_user1 doesn't have permissions to create a super-user, who does? And how do I get their username/password from AWS?
- Saqib Ali over 9 years
  
  Drookie, is this file on the RDS instance itself? I haven't even SSHed onto that machine yet.
- ceejayoz over 9 years
  
  @SaqibAli You can't SSH into a RDS instance.
chovy over 5 years

is there really no way to backup an amazon rds database with pg_dump otherwise?
Spike over 4 years

@chovy, try granting the db owner role to your user.