Creating Postgres users v23.41.0

Suggest edits

To create Postgres users during deployment, add entries to the list of postgres_users under cluster_vars or a particular instance's vars in config.yml:

cluster_vars:
  postgres_users:
  - username: example

  - username: otheruser
    generate_password: true
    role_attrs:
    - superuser
    - replication
    granted_roles:
    - r1
    - r2

The example above would create two users (apart from any users that TPA itself decides to create, such as repmgr or barman).

Each entry must specify the username to create.

Any roles in the granted_roles list will be granted to the newly-created user.

The role_attrs list may contain certain CREATE ROLE options such as [NO]SUPERUSER, [NO]CREATEDB, [NO]LOGIN (to create a user or a role) etc.

Password generation

By default, TPA will generate a random password for the user, and store it in a vault-encrypted variable named <username>_password in the cluster's inventory. You can retrieve the value later:

tpaexec show-password ~/clusters/speedy example

Output:

beePh~iez6lie4thi5KaiG%eghaeT]ai

You cannot explicitly specify a password in config.yml, but you can store a different <username>_password in the inventory instead:

tpaexec store-password ~/clusters/speedy example --random
tpaexec show-password ~/clusters/speedy example

Output:

)>tkc}}k1y4&epaJ?;NJ:l'uT{C7D*<p

tpaexec store-password ~/clusters/speedy example

Enter password at the prompt.

Output:

Password:

tpaexec show-password ~/clusters/speedy example

Output:

terrible insecure password

If you don't want the user to have a password at all, you can set generate_password: false.

On this page
Password generation

← Prev

The postgres Unix user

↑ Up

Reference