Why can't I create a superuser in AWS Postgresql instance?

postgresql amazon-web-services amazon-rds

I have an AWS EC2 instance connecting to an RDS instance (Postgresql). When I created the RDS instance, I told it the DB root's username was: my_user1 and the password was password1. Now I'm attempting to create a role and a super-user. But it fails:

$ createuser -P -d -s -e my_user2 --host myhost.com -U my_user1
Enter password for new role: XXXYYYZZZ
Enter it again: XXXYYYZZZ
Password: password1
CREATE ROLE my_user2 PASSWORD 'md5999999c0101a1d64afd57575e06f999c' SUPERUSER CREATEDB  CREATEROLE INHERIT LOGIN;
createuser: creation of new role failed: ERROR:  must be superuser to create superusers
$

When I repeat the command without the -s flag, it works:

$ createuser -P -d -e my_user2 --host myhost.com  -U my_user1
Enter password for new role:
Enter it again:
Password:
CREATE ROLE my_user2 PASSWORD 'md5999999c0101a1d64afd57575e06f888c' NOSUPERUSER CREATEDB NOCREATEROLE INHERIT LOGIN;
$

So clearly, my_user1 doesn't have permissions to create a super-user. But this is the user I told RDS was my admin user! If my_user1 doesn't have permissions to create a super-user, who does? And how do I get their username/password from AWS?


Solution 1:

RDS instances are managed by Amazon. As such, to prevent you from breaking things like replication, your users - even the root user you set up when you create the instance - will not have full superuser privileges.

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html

When you create a DB instance, the master user system account that you create is assigned to the rds_superuser role. The rds_superuser role is a pre-defined Amazon RDS role similar to the PostgreSQL superuser role (customarily named postgres in local instances), but with some restrictions. As with the PostgreSQL superuser role, the rds_superuser role has the most privileges on your DB instance and you should not assign this role to users unless they need the most access to the DB instance.

Solution 2:

If you list your current permissions with \du+ or \dg+, you will notice you are not a superuser but only allowed permissions Create role, Create DB. As such you are not allowed to assign yourself permissions higher from the ones you are currently assigned with.

Normally you are not given root or superuser permissions in any hosted environment. I suggest you spin up a custom EC2 instance and install PostgreSQL locally for complete control.

Related

Amazon EC2 Data Persistence
How to get system locale in Windows 7 cmd?
Disabling URL decoding in nginx proxy
Why does a Docker container running a server expose port to the outside world even though said port is blocked by iptables?
How to view hidden files using Linux `find` command
How do I set the date format to ISO globally in Linux?
Remote Desktop from Linux to Computer that Requires Network Level Authentication
How is DNS related to Active Directory and what are some common configurations that I should be aware of?
KVM and Libvirt - How do I hotplug a new virtio disk?
How can I export URL rewrite rules?
How do I limit MS SQL Server memory usage?
Force "net user" command to set password longer than 14 characters