https://github.com/nullstone-modules/gcp-postgres-access
Grants an application access to a newly-created postgresql database managed by GCP
https://github.com/nullstone-modules/gcp-postgres-access
Last synced: 4 months ago
JSON representation
Grants an application access to a newly-created postgresql database managed by GCP
- Host: GitHub
- URL: https://github.com/nullstone-modules/gcp-postgres-access
- Owner: nullstone-modules
- License: mit
- Created: 2023-06-10T15:09:39.000Z (about 3 years ago)
- Default Branch: master
- Last Pushed: 2026-01-16T15:52:50.000Z (5 months ago)
- Last Synced: 2026-01-30T14:54:44.320Z (4 months ago)
- Language: HCL
- Size: 26.4 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# gcp-postgres-access
Nullstone capability to grant access for a postgres database to a service.
- Grant network access to the postgres cluster.
- Create database and user (with full access to database) in postgres.
- Inject credentials into application as environment variable (from secrets manager).
## How it works
This module performs database administration against the cluster using a GCP Cloud Function in 3 steps:
1. Create long-lived database owner (role name will be same as database name)
2. Create database (owner will be the role with the same name)
3. Create app role (usually named `-`)
4. Grant membership to app role in database owner role
5. Set default schema privileges on app role (grants full access to database)
6. Set default grants on app role (when objects are created, the owner is set to long-lived database owner)
## Unable to run database migrations
Do not run database migrations as the admin user of your postgres cluster.
If you do, your database will be in a state where you will be unable to run database migrations on app startup.
If you want to recover from this situation, keep reading.
### What should my configuration look like?
After connecting to your cluster with `psql`, use the following commands to introspect your database.
The example shows what your database *should* look like with a database `webapp`.
The web application has access credentials for user `webapp-zshgw`.
```shell
webapp=> \dp
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+-------------------------------+----------+-----------------------------+-------------------+----------
public | ar_internal_metadata | table | postgres0=arwdDxt/postgres0+| |
| | | webapp=arwdDxt/postgres0 | |
(1 rows)
```
```shell
webapp=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
--------------+--------+----------+---------------------------------------
webapp-zshgw | | function | =X/"webapp-zshgw" +
| | | webapp=X/"webapp-zshgw" +
| | | "webapp-zshgw"=X/"webapp-zshgw"
webapp-zshgw | | schema | webapp=UC/"webapp-zshgw" +
| | | "webapp-zshgw"=UC/"webapp-zshgw"
webapp-zshgw | | sequence | webapp=rwU/"webapp-zshgw" +
| | | "webapp-zshgw"=rwU/"webapp-zshgw"
webapp-zshgw | | table | webapp=arwdDxt/"webapp-zshgw" +
| | | "webapp-zshgw"=arwdDxt/"webapp-zshgw"
webapp-zshgw | | type | =U/"webapp-zshgw" +
| | | webapp=U/"webapp-zshgw" +
| | | "webapp-zshgw"=U/"webapp-zshgw"
(5 rows)
```
```shell
webapp=> select * from pg_tables where schemaname='public';
schemaname | tablename | tableowner | tablespace | hasindexes | hasrules | hastriggers | rowsecurity
------------+------------------------+------------+------------+------------+----------+-------------+-------------
public | ar_internal_metadata | webapp | | t | f | f | f
(1 rows)
```