Creating Postgres users v23

To create Postgres users during deployment, add entries to the list of postgres_users under cluster_vars or a particular instance's vars in config.yml:

  - username: example

  - username: otheruser
    generate_password: true
    - superuser
    - replication
    - r1
    - r2

The example above would create two users (apart from any users that TPA itself decides to create, such as repmgr or barman).

Each entry must specify the username to create.

Any roles in the granted_roles list will be granted to the newly-created user.

The role_attrs list may contain certain CREATE ROLE options such as [NO]SUPERUSER, [NO]CREATEDB, [NO]LOGIN (to create a user or a role) etc.

Password generation

By default, TPA will generate a random password for the user, and store it in a vault-encrypted variable named <username>_password in the cluster's inventory. You can retrieve the value later:

$ tpaexec show-password ~/clusters/speedy example

You cannot explicitly specify a password in config.yml, but you can store a different <username>_password in the inventory instead:

$ tpaexec store-password ~/clusters/speedy example --random
$ tpaexec show-password ~/clusters/speedy example
$ tpaexec store-password ~/clusters/speedy example
$ tpaexec show-password ~/clusters/speedy example
terrible insecure password

If you don't want the user to have a password at all, you can set generate_password: false.