{"id":44267735,"url":"https://github.com/nullstone-modules/pg-db-admin","last_synced_at":"2026-02-10T18:37:27.031Z","repository":{"id":164567429,"uuid":"382637488","full_name":"nullstone-modules/pg-db-admin","owner":"nullstone-modules","description":null,"archived":false,"fork":false,"pushed_at":"2025-12-23T16:32:15.000Z","size":180,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-01-30T14:55:35.465Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nullstone-modules.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-07-03T14:37:36.000Z","updated_at":"2025-12-23T16:32:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"faa881bf-f01d-472f-9f29-e443c2811d44","html_url":"https://github.com/nullstone-modules/pg-db-admin","commit_stats":null,"previous_names":["nullstone-io/pg-db-admin"],"tags_count":57,"template":false,"template_full_name":null,"purl":"pkg:github/nullstone-modules/pg-db-admin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullstone-modules%2Fpg-db-admin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullstone-modules%2Fpg-db-admin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullstone-modules%2Fpg-db-admin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullstone-modules%2Fpg-db-admin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nullstone-modules","download_url":"https://codeload.github.com/nullstone-modules/pg-db-admin/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullstone-modules%2Fpg-db-admin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29311362,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-10T17:48:59.043Z","status":"ssl_error","status_checked_at":"2026-02-10T17:45:37.240Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-10T18:37:26.191Z","updated_at":"2026-02-10T18:37:27.008Z","avatar_url":"https://github.com/nullstone-modules.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pg-db-admin\r\n\r\nThis is a utility to administer postgres databases that are behind a firewall.\r\n\r\nUsing a lambda that is on the same VPC as the database, this utility can ensure a database exists with a specific owner.\r\nThis utilizes AWS IAM to secure administration instead of using an SSH Tunnel or VPN.\r\nThis also limits the actions that a user can take, making it extremely hard to perform malicious commands.\r\n\r\n## AWS Lambda setup\r\n\r\nThe Lambda requires specific configuration to work properly:\r\n\r\n- A SecretsManager Secret containing the connection string as a postgres URL.\r\n- `DB_CONN_URL_SECRET_ID` env var containing ARN of the AWS SecretsManager Secret.\r\n- The execution role must have access to the above secret.\r\n- The executing lambda must have network access to the postgres cluster.\r\n\r\n## How it works\r\n\r\nThere are 3 actions that the AWS code performs to grant database access:\r\n- `create-database`\r\n- `create-user`\r\n- `create-db-access`\r\n\r\n### `create-database`\r\n\r\nThis action performs the following steps:\r\n1. Ensures that a new user exists whose role name is `databaseName`.\r\n2. Ensures that a database with the injected `databaseName` exists.\r\n3. The newly-created database has an owner of the `databaseName` role.\r\n\r\n### `create-user`\r\n\r\nThis action performs the following steps:\r\n1. Ensure the user `username` exists.\r\n2. If `username` role already exists, set the password to `password`.\r\n\r\n### `create-db-access`\r\n\r\nThis action performs the following steps:\r\n1. Add `username` as a member to the owner of the database.\r\n2. Alters `username` so that the database owner has access to any schema objects created by `username`.\r\n3. Grant all privileges on the `databaseName` and the `public` schema in `databaseName`.\r\n\r\n## In Practice\r\n\r\nIn practice, the following should be true.\r\n\r\n1. An application role runs migrations to create and alter schema objects.\r\n2. Implicitly, this application role owns newly-created schema objects.\r\n3. All application roles are a member of the role that owns the database -- giving them implicit access to all schema objects.\r\n4. The database owner role is given access to all schema objects (present and future).\r\n\r\nIt's important to note that an application user created for a worker application typically does not perform migrations.\r\nThis application user is granted access to schema objects because it has membership in the database owner role (which has explicit access to schema objects).\r\n\r\n## Repair database\r\n\r\nIn early versions of this module (below v0.2.0), schema objects were created and managed differently.\r\nYour database may be left in a bad state.\r\nTo fix, follow these steps:\r\n1. Set the database owner to a role with the same name as the database.\r\n2. Ensure all application roles have membership to the database owner role.\r\n3. Alter default privileges `FOR ROLE \u003capplication-role\u003e` `TO \u003cdatabase-owner-role\u003e`.\r\n4. Grant privileges to all schema objects to application role on database and schema.\r\n5. Set ownership of tables to any application role.\r\n\r\n### Example access privilege outputs\r\n\r\n```shell\r\noracle-\u003e \\dp\r\n                                          Access privileges\r\n Schema |         Name          | Type  |      Access privileges      | Column privileges | Policies \r\n--------+-----------------------+-------+-----------------------------+-------------------+----------\r\n public | expiring_downloads    | table | postgres0=arwdDxt/postgres0+|                   | \r\n        |                       |       | oracle=arwdDxt/postgres0    |                   | \r\n public | flyway_schema_history  | table | postgres0=arwdDxt/postgres0+|                   | \r\n        |                       |       | oracle=arwdDxt/postgres0    |                   | \r\n public | module_artifacts      | table | postgres0=arwdDxt/postgres0+|                   | \r\n        |                       |       | oracle=arwdDxt/postgres0    |                   | \r\n public | module_versions       | table | postgres0=arwdDxt/postgres0+|                   | \r\n        |                       |       | oracle=arwdDxt/postgres0    |                   | \r\n public | modules               | table | postgres0=arwdDxt/postgres0+|                   | \r\n        |                       |       | oracle=arwdDxt/postgres0    |                   | \r\n(5 rows)\r\n\r\noracle-\u003e \\ddp\r\n                        Default access privileges\r\n    Owner     | Schema |   Type   |           Access privileges           \r\n--------------+--------+----------+---------------------------------------\r\n oracle-zshgw |        | function | =X/\"oracle-zshgw\"                    +\r\n              |        |          | oracle=X/\"oracle-zshgw\"              +\r\n              |        |          | \"oracle-zshgw\"=X/\"oracle-zshgw\"\r\n oracle-zshgw |        | schema   | oracle=UC/\"oracle-zshgw\"             +\r\n              |        |          | \"oracle-zshgw\"=UC/\"oracle-zshgw\"\r\n oracle-zshgw |        | sequence | oracle=rwU/\"oracle-zshgw\"            +\r\n              |        |          | \"oracle-zshgw\"=rwU/\"oracle-zshgw\"\r\n oracle-zshgw |        | table    | oracle=arwdDxt/\"oracle-zshgw\"        +\r\n              |        |          | \"oracle-zshgw\"=arwdDxt/\"oracle-zshgw\"\r\n oracle-zshgw |        | type     | =U/\"oracle-zshgw\"                    +\r\n              |        |          | oracle=U/\"oracle-zshgw\"              +\r\n              |        |          | \"oracle-zshgw\"=U/\"oracle-zshgw\"\r\n(5 rows)\r\n```\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnullstone-modules%2Fpg-db-admin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnullstone-modules%2Fpg-db-admin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnullstone-modules%2Fpg-db-admin/lists"}