Why can't I create a superuser in AWS Postgresql instance?
I have an AWS EC2 instance connecting to an RDS instance (Postgresql). When I created the RDS instance, I told it the DB root's username was: my_user1
and the password was password1
. Now I'm attempting to create a role and a super-user. But it fails:
$ createuser -P -d -s -e my_user2 --host myhost.com -U my_user1
Enter password for new role: XXXYYYZZZ
Enter it again: XXXYYYZZZ
Password: password1
CREATE ROLE my_user2 PASSWORD 'md5999999c0101a1d64afd57575e06f999c' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;
createuser: creation of new role failed: ERROR: must be superuser to create superusers
$
When I repeat the command without the -s
flag, it works:
$ createuser -P -d -e my_user2 --host myhost.com -U my_user1
Enter password for new role:
Enter it again:
Password:
CREATE ROLE my_user2 PASSWORD 'md5999999c0101a1d64afd57575e06f888c' NOSUPERUSER CREATEDB NOCREATEROLE INHERIT LOGIN;
$
So clearly, my_user1
doesn't have permissions to create a super-user. But this is the user I told RDS was my admin user! If my_user1
doesn't have permissions to create a super-user, who does? And how do I get their username/password from AWS?
Solution 1:
RDS instances are managed by Amazon. As such, to prevent you from breaking things like replication, your users - even the root user you set up when you create the instance - will not have full superuser privileges.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html
When you create a DB instance, the master user system account that you create is assigned to the rds_superuser role. The rds_superuser role is a pre-defined Amazon RDS role similar to the PostgreSQL superuser role (customarily named postgres in local instances), but with some restrictions. As with the PostgreSQL superuser role, the rds_superuser role has the most privileges on your DB instance and you should not assign this role to users unless they need the most access to the DB instance.
Solution 2:
If you list your current permissions with \du+
or \dg+
, you will notice you are not a superuser but only allowed permissions Create role, Create DB. As such you are not allowed to assign yourself permissions higher from the ones you are currently assigned with.
Normally you are not given root or superuser permissions in any hosted environment. I suggest you spin up a custom EC2 instance and install PostgreSQL locally for complete control.