Tập tành học PostgreSQL tutorial trên AWS

Tập tành học PostgreSQL tutorial trên AWS

Share Everywhere

Table of contents

#1. Connecting to an AWS DB Instance Running the PostgreSQL Database Engine using psql:

You can use a local instance of the psql command line utility to connect to a PostgreSQL DB instance. You need either PostgreSQL or the psql client installed on your client computer.

Use one of the following formats to connect to a PostgreSQL DB instance on Amazon RDS. When you connect, you’re prompted for a password. For batch jobs or scripts, use the –no-password option:

psql \\\\
   --host=<DB instance endpoint> \\\\
   --port=<port> \\\\
   --username=<master user name> \\\\
   --password \\\\
   --dbname=<database name>

For example, the following command connects to a database called mypgdb on a PostgreSQL DB instance called mypostgresql using fictitious credentials:

psql --host=mypostgresql.c6c8mwvfdgv0.us-west-2.rds.amazonaws.com --port=5432 --username=awsuser --password --dbname=mypgdb


  • In the case that you do not use RDS, and want to login to psql console: The PostgreSQL installation creates a “UNIX USER” called postgres, who is ALSO the “Default PostgreSQL’s SUPERUSER”. To run psql using “UNIX USER” postgres, you need to invoke:
sudo -u postgres psql
  • The PostgreSQL’s prompt is in the format of databaseName=# for superuser or databaseName=> for regular user. In this case, the current database is also called postgres, which is the same as the username.
  • The prompt changes to -# (superuser) or -> (regular user) for command continuation.
  • Type help to see the help menu.
  • Type \\\\qto quit.
  • Type \\\\? to see all the psql commands.
  • You need to end a SQL statement with a semicolon (;) or \g (for GO) to execute the statement. For example, in “SELECT version();”.
  • Comments: In a SQL script or command, an end-of-line comment begins with –; a block comment is enclosed by /* and */

#2. Working with database:

2.1. Basic commands:

A running PostgreSQL server can manage many databases. Typically, a separate database is used for each project or for each user.

  • List all databases: List all databases via \l (or \list), or \l+ for more details:
Tập tành học PostgreSQL tutorial trên AWS
  • Help on SQL command syntax:
\\\\h <command>

For example:

Tập tành học PostgreSQL tutorial trên AWS
  • Create a new database called mytest:

By default, the owner of the database is the current login user.

Tập tành học PostgreSQL tutorial trên AWS
  • Connect to mytest database via \c (or \connect):
\\\\c mytest

You can display all tables (aka relations) via \dt or \dt+ for more details.

  • We will be using an enumeration (TYPE) in our table, let’s define it:
CREATE TYPE cat_enum AS ENUM ('coffee', 'tea');

Display all types via /dT or /dT+ for more details:

  • Create a new table:
  id SERIAL PRIMARY KEY,        -- AUTO_INCREMENT integer, as primary key
  category cat_enum NOT NULL,   -- Use the enum type defined earlier
  name VARCHAR(50) NOT NULL,    -- Variable-length string of up to 50 characters
  price NUMERIC(5,2) NOT NULL,  -- 5 digits total, with 2 decimal places
  last_update DATE              -- 'YYYY-MM-DD'
  • Display all tables in the current database, via \dt or \dt+ for more details:
Tập tành học PostgreSQL tutorial trên AWS
  • Display details of a particular table:
\\\\d+ cafe
  • Insert rows:
INSERT INTO cafe (category, name, price) VALUES
  ('coffee', 'Espresso', 3.19),
  ('coffee', 'Cappuccino', 3.29),
  ('coffee', 'Caffe Latte', 3.39),
  ('coffee', 'Caffe Mocha', 3.49),
  ('coffee', 'Brewed Coffee', 3.59),
  ('tea', 'Green Tea', 2.99),
  ('tea', 'Wulong Tea', 2.89);

The output shows the OID (Object Identification Number) and the rows affected. — Query (SELECT):

Tập tành học PostgreSQL tutorial trên AWS
  • Update:
UPDATE cafe SET price = price * 1.1 WHERE category = 'tea';
  • Delete:
DELETE FROM cafe WHERE id = 6;
Tập tành học PostgreSQL tutorial trên AWS


+) Take note that there are two sets of commands:

  • psql commands: such as \\\\c\\\\l\\\\dt.
  • SQL commands: such as CREATE DATABASECREATE TABLE and SELECT. SQL command KEYWORDS are not case sensitive. I show them in uppercase for clarity. PostgreSQL automatically converts all names (identifiers) to lowercase (even you type in uppercase or mixed case). To use uppercase or mixed case, you need to double-quote the names.

+) You need to end your SQL commands with a semi-colon (;) or \g. If you forget to enter a semi-colon, the command-prompt changes to “dbname-#” to indicate continuation (A SQL command can span many lines). You can enter the semi-colon on the new line.

More on psql commands:

+) \\\\?: show all psql commands.

+) \\\\h sql-command: show syntax on SQL command.

+) \\\\c dbname [username]: Connect to database, with an optional username (or \connect).

+) Display Commands: You can append + to show more details.

  • \\\\l: List all database (or \list).
  • \\\\d: Display all tables, indexes, views, and sequences.
  • \\\\dt: Display all tables.
  • \\\\di: Display all indexes.
  • \\\\dv: Display all views.
  • \\\\ds: Display all sequences.
  • \\\\dT: Display all types.
  • \\\\dS: Display all system tables.
  • \\\\du: Display all users.
  • \\\\x auto|on|off: Toggle|On|Off expanded output mode.

2.2. Using Utility “createuser” and “createdb”:

As an example, let’s create a PostgreSQL user called testuser, and a new database called testdb owned by testuser.

  • Create a new PostgreSQL user called testuser, allow user to login, but NOT creating databases:
sudo -u postgres createuser --login --pwprompt testuser
  • Create a new database called testdb, owned by testuser:
sudo -u postgres createdb --owner=testuser testdb
  • Tailor the PostgreSQL configuration file /var/lib/pgsql/data/pg_hba.conf to allow non-default user testuser to login to PostgreSQL server, by adding the following entry:
local   testdb      testuser                     md5
  • Restart PostgreSQL server:
sudo service postgresql restart
  • Login to PostgreSQL server:
psql -U testuser testdb

Note: If you encounter the error: psql: FATAL: Peer authentication failed for user "testuser" You can fix by:

Locate to your pg_hba.conf file, and find this line:

local   all             postgres                                peer

change it to:

local   all             postgres                                md5

and then restart PostgreSQL server.

  • List all databases (\list or \l):
Tập tành học PostgreSQL tutorial trên AWS

#3. PostgreSQL administration:

3.1. Default Superuser “postgres”:

During installation, a “UNIX USER” (who cannot login to the system interactively) called postgres is created. You can verify by checking the entry in /etc/passwd and /etc/shadow:

sudo less /etc/passwd | grep postgres


$ sudo less /etc/shadow | grep postgres

The user postgres belongs to the following groups:

groups postgres
Tập tành học PostgreSQL tutorial trên AWS

An entry is also defined in PostgreSQL’s HBA (Host-Based Authentication) configuration file for this user:

sudo less /var/lib/pgsql/data/pg_hba.conf


Tập tành học PostgreSQL tutorial trên AWS

3.2. Authentication Methods:

PostgreSQL supports a number of authentication methods. The commonly-used are:

  • ident, peer: identical (or fully match) to the OS account, with an optional name mapping defined in pg_ident.conf file. ident is applicable to TCP/IP; while peer for “local” connection.
  • md5: require md5-hashed password (most common).
  • password: require clear-text password.
  • trust: no password, as long as meeting the IP, user, and database criteria defined in the HBA.
  • reject: reject login immediately.
  • others, such as GSSAPI, SSPI, Kerberos, LDAP, RADIUS, Certificate, PAM.

There are two ways to login PostgreSQL:

1/ By running the “psql” command as a UNIX user which is also configured as PostgreSQL user using so-called IDENT/PEER authentication, e.g., “sudo -u postgres psql”.

2/ Via TCP/IP connection using PostgreSQL’s own managed username/password (using so-called MD5 authentication).

3.3. Set a Password for User postgres:

To set a password, login to PostgreSQL server using postgres via psql and issue command “\password username”, as follows:

  • Login in to server via “psql” with user “postgres”:
sudo -u postgres psql
  • Change password for current user “postgres”:
\\\\password postgres
  • Display the user table:
SELECT * FROM pg_user;
Remove Permissions in PostgreSQL

To test the password login, you need to change the the authentication method from “peer” to “md5” in pg_hba.conf. Restart the server, and login via sudo -u postgres sql. The system will prompt you for the password.

3.4. Add your UNIX user as PostgreSQL user:

Using user “postgres” (which is a UNIX user as well as PostgreSQL user) to run psql involves switching user (via sudo -u <username> or su - <username>). You can simply the process by configuring your current UNIX userID as PostgreSQL user, as follows:

  • Switch to default superuser “postgres”, — run utility “createuser” to create a superuser same name as current login. — “$USER” is an environment variable denoting the current login user.


sudo -u postgres createuser --superuser $USER
  • Create the default database which shall be the same as the username:
sudo -u postgres createdb $USER
  • Now, you can invoke “psql” from your user account


Remove Permissions in PostgreSQL

3.5. Group and User:

3.5.1. Create role:

The latest PostgreSQL treats both group and user as “role”. Some roles can login (i.e. user), some roles have member of other roles (i.e., group).

Roles are different from traditional Unix-style permissions in that there is no distinction between users and groups. Roles can be manipulated to resemble both of these conventions, but they are also more flexible.

For instance, roles can be members of other roles, allowing them to take on the permission characteristics of previously defined roles. Roles can also own objects and control access to those object for other roles.

You should use CREATE ROLE to create both users and groups (CREATE USER and CREATE GROUP are meant for compatibility).

  • Create a login user role:
  • Create a login superuser role:
  • Create a group role:
  • Add a user (or group) to this group:
GRANT group1 TO user1;
Remove Permissions in PostgreSQL

3.5.2. Define Privileges Upon Role Creation:

We can do this by specifying the permissions we want after the main create clause:

CREATE ROLE <role_name> WITH <optional_permissions>;
Remove Permissions in PostgreSQL

If we want to get to this state without specifying the “login” attribute with every role creation, we can actually use the following command instead of the “CREATE ROLE” command:

CREATE USER <role_name>;

The only difference between the two commands is that “CREATE USER” automatically gives the role login privileges.

3.5.3. Use Group Roles & alter ownership in PostgreSQL: Use group roles:

Any member of a group role can act as the group role they are a member of by using the “set role” command.

Since the “postgres” user we are logged into currently has superuser privileges, we can use “set role” even though we are not a member of that group:

SET ROLE group1;

Now, any tables that are created are owned by the group1 role:

name varchar(25),
id serial,
start_date date);

We can check the table ownership by issuing this command:

Remove Permissions in PostgreSQL

As you can see, the new table (and the sequence associated with the serial data type) is owned by the “group1” role.

We can get back to our original role permissions with the following command:


If we give a user the “inherit” property with the “alter role” command, that user will automatically have all of the privileges of the roles they belong to without using the “set role” command:


Now dev will have every permission of the roles it is a member of. Alter the ownership:

You can delete a role using the following syntax:

DROP ROLE <role_name>;

or to avoid not found error:

DROP ROLE IF EXISTS <role_name>;

Now we try to remove a group role (or any role) with the “drop role” command:

DROP ROLE group1;
Remove Permissions in PostgreSQL

This will give you an error, because we created a table that is owned by “group1”. We can solve this problem by transferring ownership to a different role, the syntax is:

ALTER TABLE <table_name> OWNER TO <role>;

and in this case:

ALTER TABLE hello OWNER TO demo_role;

If we check, we can see that “group1” no longer owns any of the tables:


We can now drop the “group1” role successfully by issuing the command again:

DROP ROLE group1;

This will destroy the group1 role. The former members of “group1” (dev role) is not removed.

Remove Permissions in PostgreSQL


+) By default, the owner of the database is the current login user. If you want to alter the owner of a database:

ALTER DATABASE <database_name> OWNER TO <role>;

+) Alter schema’s owner:

In PostgreSQL, a schema is a namespace that contains named database objects such as tables, views, indexes, data types, functions, and operators.To access an object of a schema, you qualify its name with the schema name as a prefix:


For example, you may have sales schema that has staff table and the public schema which also has the staff table. When you refer to the staff table you must qualify it as follows:


If you want to alter the ownership of a schema, use the command:

ALTER SCHEMA <schema_name> OWNER TO <role>;
Remove Permissions in PostgreSQL

Important note:

You must own the schema to use ALTER SCHEMA. To alter the owner, you must also be a direct or indirect member of the new owning role, and you must have the CREATE privilege for the database. (Note that superusers have all these privileges automatically.)

3.5.4. Change Privileges of Roles in PostgreSQL:

To change the attributes of an already created role, we use the “ALTER ROLE” command.

This command allows us to define privilege changes without having to delete and recreate users.

ALTER ROLE <role_name> WITH <attribute_options>;

For example:

Remove Permissions in PostgreSQL

3.5.5. Log In as a Different User in PostgreSQL:

psql -U <user_name> -d <database_name> -h -W

and then enter the password for the user_name that you have created.

3.5.6. Grant Permissions in PostgreSQL:

When a database or table is created, usually only the role that created it (not including roles with superuser status) has permission to modify it. We can alter this behavior by granting permissions to other roles.

We can grant permissions using the “GRANT” command. The general syntax:

GRANT <permission_type> ON <table_name> TO <role_name>;

For example:

Create a simple table

name varchar(25),
id serial,
start_date date);

We can see the result with:

Remove Permissions in PostgreSQL

We can now grant some privileges to the new “demo” table to “testuser”. Give the user “UPDATE” privileges with the following command:

GRANT UPDATE ON demo TO testuser;

We can grant full permissions to a user by substituting the permission type with the word “all”:

GRANT ALL ON demo TO testuser;

If we want to specify permissions for every user on the system, we can use the word “public” instead of a specific user:


To view the grant table, use the following command:

Remove Permissions in PostgreSQL

3.5.7 Remove Permissions in PostgreSQL:

You can remove permissions using the “REVOKE” command. The revoke command uses almost the same syntax as grant:

REVOKE <permission_type> ON <table_name> FROM <user_name>;

Again, we can use the same shorthand words (all and public) to make the command easier:

Remove Permissions in PostgreSQL


Bạn thấy bài viết này như thế nào?
1 reaction

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enter the characters shown in the image.

Bài viết liên quan

Redshift – xem cluster resize status

Redshift – xem cluster resize status

Tuy là về logic thì cũng không đc thuyết phục lắm, nhưng họ đã làm test và cũng khẳng định như vậy rồi, thì có thể là đặc điểm của redshift này nó thế
MongoDB replica set authentication guide

MongoDB replica set authentication guide

You have to launch at least 3 EC2 instances. Make sure those 3 instances can connect to each other
Sử dụng AWS copilot CLI để đơn giản hóa việc tạo và quản lý ECS cluster

Sử dụng AWS copilot CLI để đơn giản hóa việc tạo và quản lý ECS cluster

AWS Copilot CLI là công cụ có thể tạo ra “production ready containerized applications” một cách nhanh chóng, chỉ cần 1 file Dockerfile thôi, mọi chuyện còn lại có Copilot lo
Hướng dẫn sử dụng đăng nhập với FB, GG Cognito

Hướng dẫn sử dụng đăng nhập với Facebook, Google bằng AWS Cognito

Under Website, enter a sign-in URL for your app client endpoint into Site URL. Your sign-in URL should be in the following
Meetup 11 - Data Streaming on AWS là Meetup đầu tiên của Viet-AWS

Meetup 11 - Data Streaming on AWS là Meetup đầu tiên của Viet-AWS

Đặc biệt cảm ơn tất cả mọi người đã dành thời gian tham gia offline Meetup 11.