Managing Postgres access
You control access to your Postgres database by database authentication implemented by creating databases with specific roles and privileges. Database authentication differs from portal authentication, which controls access to the BigAnimal portal.
For information on portal authentication, see:
- Setting up your identity provider if you purchased BigAnimal directly from EDB, or
- Setting up your Azure Marketplace account if you purchased BigAnimal through Azure Marketplace
Setting up your database authentication
Don't use the edb_admin database role and edb_admin database created when creating your cluster in your application. Instead, create a new database role and a new database, which provides a high level of isolation in Postgres. If multiple applications are using the same cluster, each database can also contain multiple schemas, essentially a namespace in the database. If strict isolation is needed, use a dedicated cluster or dedicated database. If that strict isolation level isn't required, you can deploy a single database with multiple schemas. Refer to Privileges in the PostgreSQL documentation to further customize ownership and roles to your requirements.
To create a new role and database, first connect using psql:
psql -W "postgres://edb_admin@xxxxxxxxx.xxxxx.biganimal.io:5432/edb_admin?sslmode=require"
Note
Avoid storing data in the postgres system database.
Notes on the edb_admin role
The
edb_adminrole does not have superuser privileges by default. Contact Support to request superuser privileges foredb_admin. If you request superuser privileges, you must take care to limit the number of connections used by superusers to avoid degraded service and/or compromising availability.Note
Superuser privileges allow you to make Postgres configuration changes using
ALTER SYSTEMqueries. We recommend you don't do this because it may lead to an unpredictable/unrecoverable state of the cluster. In addition,ALTER SYSTEMchanges are not replicated across the cluster.Changes to system configuration (GUCs) made by edb_admin or other Postgres users are not persisted though a reboot or maintenance. Use the BigAnimal portal to modify system configuration.
You have to remember your
edb_adminpassword as EDB does not have access to it. If you forget it, you can set a new one in the BigAnimal portal on the Edit Cluster page.Don't use the
edb_adminuser or theedb_admindatabase in your applications. Instead, useCREATE USER; GRANT; CREATE DATABASE.BigAnimal stores all database-level authentication securely and directly in PostgreSQL. The
edb_adminuser password is SCRAM-SHA-256 hashed prior to storage. This hash, even if compromised, cannot be replayed by an attacker to gain access to the system.
One database with one application
For one database hosting a single application, replace app1 with your preferred user name:
Create a new database user. For example,
edb_admin=# create user app1 with password 'app1_pwd';
Assign the new role to your
edb_adminuser. Assigning this role allows you to assign ownership to the new user in the next step. For example:edb_admin=# grant app1 to edb_admin;
Create a new database to store application data. For example:
edb_admin=# create database app1 with owner app1;
Using this example, the username and database in your connection string is app1.
One database with multiple schemas
If a single database is used to host multiple schemas, create a database owner and then roles and schemas for each application. This example shows creating two database roles and two schemas. The default search_path for database roles in BigAnimal is "$user",public. If the role name and schema match, then objects in that schema match first, and no search_path changes or fully qualifying of objects are needed. The PostgreSQL documentation covers the schema search path in detail.
Create a database owner and new database. For example:
edb_admin=# create user prod_admin with password 'prod_pwd'; edb_admin=# create database prod1 with owner prod_admin;
Connect to the new database. For example:
edb_admin=# \c prod1
Create new application roles. For example:
prod1=# create user app1 with password 'app1_pwd'; prod1=# grant app1 to edb_admin; prod1=# create user app2 with password 'app2_pwd'; prod1=# grant app2 to edb_admin;
Create a new schema for each application with the AUTHORIZATION clause for the application owner. For example:
prod1=# create schema app1 authorization app1; prod1=# create schema app2 authorization app2;
IAM authentication for Postgres
Any AWS user with an AWS account connected to a BigAnimal subscription who has the Postgres role of "iam_aws" can authenticate to the database using their AWS IAM credentials.
Configuring IAM for Postgres
Provision your cluster before configuring IAM for Postgres.
In BigAnimal, turn on the IAM authentication feature when creating or modifying the cluster:
- On the Additional Settings tab, under Authentication, select Identity and Access Management (IAM) Authentication.
- Select Create Cluster or Save.
Note
To turn on IAM authentication using the CLI, see the Using IAM authentication on AWS section in the Using the BigAnimal CLI topic.
In AWS, get the ARN of each IAM user requiring database access. In the AWS account connected to BigAnimal, use AWS Identity and Access Management (IAM) to perform user management. See the AWS documentation.
In Postgres, if the IAM role doesn’t exist yet, run this Postgres command:
CREATE ROLE "iam_aws";
For each IAM user, run this Postgres command:
CREATE USER "<ARN>" IN ROLE iam_aws;
Logging in to Postgres using IAM credentials
If IAM integration is configured for your cluster, you can log in to Postgres using your AWS Amazon Resource Name (ARN) and access key. Using this ARN + access key combination allows you to connect to your Postgres database using your AWS IAM standard credentials.
You can continue to log in using your Postgres username and password. However, doing so doesn’t provide IAM authentication even if this feature is configured.
- Using your AWS CLI or Cloud shell, obtain your ARN and access key. For guidance on obtaining your ARN and access key, see Managing access keys for IAM users.
- Connect to Postgres using your IAM credentials.
- When prompted for the password, enter your access key (<access key ID>:<secret access key>).
Using IAM authentication CLI commands
For information on integrating with IAM on AWS using the CLI, see IAM authentication CLI commands.