Questions tagged with Aurora PostgreSQL
Content language: English
Sort by most recent
I received a notice that "Aurora PostgresSQL major version 10.x will be de-supported and will be upgraded automatically on 01/31/2023. You can initiate an upgrade of your database instance either immediately or during your next maintenance window to a newer major version of Amazon Aurora PostgreSQL using the AWS Management Console or the AWS Command Line Interface (CLI)."
I like to test upgrade by having some dev database to upgrade to v11 during next maintenance window. Is there a way to trigger that? On the console under pending maintenance I only see the minor upgrade pending. Or should I upgrade manually?
Thanks.
Sometimes after we schedule a pending maintenance, we would want to un-schedule it because of newly discovered dependent applicative operations for that specific day, so a clear/reset apply date button would be helpful.
_tl;dr;_ I want to create a separate DB user account for each tenant in a SaaS, to support multi-tenant setup for PostgreSQL db using Row Level Security (RLS). It seems this isn't possible or practical with RDS Proxy because the SDK doesn't allow for easy management of secrets / credentials associated with RDS Proxy. What am I missing? How can I achieve a multi-tenant RLS setup with RDS Proxy and PostgreSQL RLS?
I'm trying to create a SaaS with a multi-tenant DB setup. RDS Aurora Postgres. **Each tenant in the database === a DB account** (see: https://aws.amazon.com/blogs/database/multi-tenant-data-isolation-with-postgresql-row-level-security/).
This was going fairly well when I was in the PoC stage, because I ignorantly put off storing DB secrets in secret manager and just had a few sample accounts setup to test things out.
That said, I've recently realized that with RDS Proxy you need to actually add each database credential to the proxy in order to be able to use that credential through the proxy... and that's not something that happens instantly, it can take an unknown amount of time for RDS Proxy to be updated, and frankly I'm not sure how well this would scale adding potentially hundreds or even thousands of credentials to RDS Proxy.
I had hoped / thought _maybe_ that using the "IAM Authentication" would solve the issue, but although it doesn't seem super well documented / clear (at least not through the AWS console), I _think_ IAM Authentication doesn't do anything for us unless we're using SQL server:
> IAM Authentication. Choose whether to require, allow, or disallow IAM authentication for connections to your proxy. **The allow option is only valid for proxies for RDS for SQL Server**. The choice of IAM authentication or native database authentication applies to all DB users that access this proxy.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html
If I'm misunderstanding something here I'd love to know, and would really appreciate any advice. I feel like I'm fighting a loosing battle with my current approach and would love to know if there is something I'm missing that would salvage things!
If not, then I'm left either
1. Figure out how to programmatically add secrets / users to the DB Proxy - I think https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-rds/interfaces/modifydbproxyrequest.html#auth is perhaps _a_ mechanism I could use, but again it doesn't feel like it was really built for this - each time a user registered, it looks like I'd have to basically update the entire proxy, I can't "just" add a single user.
2. Switch away from the "each user in the SaaS has a separate DB user" approach to something else, essentially putting the onus of security back on the application layer (which was my entire goal of using RLS originally).
3. ??
Note that [the AWS documentation on RDS Proxy and adding database users](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-managing.html#rds-proxy-new-db-user) of course says that you can certain add DB users, this I know, **the issue is adding users at scale, dynamically, via the SDK** - it just doesn't feel like RDS Proxy is designed for this (for understandable reasons I might add, I realize there is probably a fair amount of complexity hidden in RDS Proxy).
Hi AWS Team
When do you guys think we can get to use RDS Proxy for PostgeSQL major version 14. I know support was added for major version 13 early thia year, so any launch plans in the upcoming weeks or months for 14?
When using Aurora PostgreSQL, to show the full text of SQL queries on the Performance Insights, a customer plans to change value of track_activity_query_size from 4kb (default) to 20kb. But, the customer is concerned that this change could cause performance issue and they want to know what points they should check after changing this parameter (e.g. CPU usage rate, disk I/O rate, cache hit rate, etc.).
If you have any suggestion or idea, could you advise me?
asked 5 months ago
When creating a read replica in a secondary region of Aurora PostgreSQL Global Database, if possible, we want to use the minimum instance size as much as possible to minimize our running cost because our use case of the read replica is just for DR under the pilot light strategy.
But, we're concerned about the replication lag when we use smaller instance size for read replica in the secondary region than that of primary cluster. Is there any risk of replication lag, or any other risk when taking such architecture?
asked 5 months ago
I crawled a postgres database using JDBC crawler and it successfully created tables and is showing them in glue > database > "db_name" > Tables. It have fetched in columns all right.
Not athena show 0/zero tables for this database and if I write a query using 'db_name'.'table_name', it gives following error.
HIVE_UNSUPPORTED_FORMAT: Unable to create input format
This query ran against the "facset-loader" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: fc373521-3501-442d-b5a2-eb583007bcc1.
But how come the created tables have format errors when they show perfectly in the glue.
Hi,
We are using the command put-scheduled-action, to change the minimum capacity to 0 every day on specify hour.
He accept to change, but the scheduled don´t remove the read replica, the cluster stay with 1 read replica.
We try to change the state of the alarm that start the action, but on the history of the alarme it show that started the action, but the read replica was not removed.
The goal is to remove all read replica after the commercial hour when not using, but if is using, he scale up when necessarie and on morning we will use de put-scheduled-action to came back the minimum to 1.
There any way to make this work?
Best Regards,
tcanoas
I have a non-public DB Cluster & a Proxy (Aurora RDS PostgreSQL Serverless v2 13.7). It's in a VPC with private subnets. The Security Group is same for both Cluster and Proxy. Inbound rule allows TCP for Self Referenced Security Group on 5432 port. Outbound rule allows all traffic (0.0.0.0/0).
I have a Lambda function (Python) in the same VPC, subnets and Security Group. I have also created an IAM user and attached a Policy for rds-db:connect. Likewise, I have a similar policy attached to the Lambda also for rds-db:connect. I manually created this IAM user into PG database, but without password and attached rds_iam role.
However, I tried various ways to authenticate with the Proxy using IAM, but nothing seems to be working. I would really appreciate, if someone can please provide the code sample for this in Python. I am not even sure which certificate to use. Please help.
We have changed the RDS postgres parameters by changing the log_statement in the aws RDS console. However it is not reflecting in pGAdmin. Can we assume that the log changes would be reflected back in pGAdmin(audit log)
I am busy configuring the oracle_fdw to access data from on-premises Oracle databases in AWS RDS Aurora Postgres databases. When using a listener with a TCP port the connection works and the data is available.
However when using a listener using TCPS the connection fails with the below error:
ERROR: connection for foreign table "<TABLE_NAME?" cannot be established
DETAIL: ORA-12537: TNS:connection closed
SQL state: HV00N
Is it possible to import our organization root certificates into the "ssl_cert"file" to enable TCPS connections?
Hello,
according to documentation, Aurora Read Replica for RDS Postgres is designed to be used as a migration step from RDS Postgres to Aurora.
I was thinking of adding read replica to RDS and realized that Aurora could also be used.
Are there any downsides, if Aurora read-replica was used for long term read-replication of RDS Postgres without actually ever fully migrating to Aurora but keeping the RDS instance instead?