RE: GRANT CONNECT ON DATABASE

We are using aws - rds.
All the discussions with respect to this thread are applicable to aws rds.
Thanks,
Sarwar

Sent from my Galaxy

-------- Original message --------
From: Edwin UY <edwin(dot)uy(at)gmail(dot)com>
Date: 6/10/24 8:18 AM (GMT-05:00)
To: Norbert Poellmann <np(at)ibu(dot)de>
Cc: pgsql-admin(at)lists(dot)postgresql(dot)org
Subject: Re: GRANT CONNECT ON DATABASE

Don't think I can do this as this is AWS RDS?

On Mon, Jun 10, 2024 at 10:59 PM Norbert Poellmann <np(at)ibu(dot)de<mailto:np(at)ibu(dot)de>> wrote:
On Mon, Jun 10, 2024 at 12:09:14PM +1200, Edwin UY wrote:
> Hi,
>
> A role was created as below:
> CREATE ROLE [blah] WITH NOLOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE
> NOREPLICATION VALID UNTIL 'infinity';
>
> Doesn't the following SQLs supposed to give the role login access?
>
> ALTER ROLE [blah] WITH ENCRYPTED PASSWORD 'blahpassword' ;
> GRANT CONNECT ON DATABASE [blahdb] TO [blahuser] ;
>
> We're trying to take the minimalist approach for a user access to have
> access to only the tables he has created and only to a specific database
> and schema.

Hi,

I would suggest, additionally, the strictest doorman for your database
is a record in ${data_directory}/pg_hba.conf, example:

# TYPE DATABASE USER ADDRESS METHOD
hostssl blahdb blahuser 1.2.3.4/32<http://1.2.3.4/32> scram-sha-256

changes followed by a server reload.

cheers
Norbert Poellmann

>
> Regards,
> Ed