diff --git a/faq/serverless-functions.mdx b/faq/serverless-functions.mdx index 2806fed34b..1d2e2787ef 100644 --- a/faq/serverless-functions.mdx +++ b/faq/serverless-functions.mdx @@ -6,7 +6,7 @@ content: h1: Serverless Functions hero: assets/faas.webp dates: - validation: 2024-03-25 + validation: 2024-10-03 category: serverless --- @@ -16,11 +16,11 @@ category: serverless Serverless Functions is billed on a pay-as-you-go basis. Three components are taken into account: -* **Monthly Request number:** each time your function is invoked we increase a counter. +* **Monthly request number:** each time your function is invoked we increase a counter. * **Resource consumption:** this component is obtained by multiplying the memory tiers chosen by the duration of each function invocation. -* **Resources provision:** in order to mitigate cold start, users can choose to keep some function Instances warm (by filing the min scale value). We then charge for the provisioned resources similarly to the Resources consumption component. +* **Resources provision:** in order to mitigate cold start, users can choose to keep some function instances warm (by filing the minimum scale value). We then charge for the provisioned resources similarly to the Resources consumption component. The scheme below illustrates our billing model: @@ -28,9 +28,9 @@ The scheme below illustrates our billing model: ### Pricing -* **Monthly requests:** **€0.15 per million requests** and we offer **1M free requests** per account per month. +* **Monthly requests:** **€0.15 per million requests**, and we offer **1M free requests** per account per month. -* **Resources consumption:** **€1.20 per 100 000 GB-s** and we provide **400 000 GB-s free tiers** per account and per month. +* **Resources consumption:** **€1.20 per 100 000 GB-s**, and we provide **400 000 GB-s free tiers** per account and per month. | Memory provisioned | Cost per second | |---------------------|-----------------| @@ -157,7 +157,7 @@ Serverless Functions use cases are wide so [several ways to deploy functions](/s ## How can I test my functions locally? -Local development is useful for debugging, profiling, testing etc... so we provide libraries to do this: [local testing doc](/serverless/functions/reference-content/local-testing/). + Scaleway provide libraries to run your functions locally, for debugging, profiling, and testing purposes. Refer to the [dedicated documentation](/serverless/functions/reference-content/local-testing/) for more information. ## Where can I find some advanced code examples for functions? @@ -166,4 +166,4 @@ Check out our [serverless-examples repository](https://github.com/scaleway/serve ## How to migrate runtimes? There are no constraints when changing a function runtime, you simply need to choose the runtime version you want. -Upgrading a runtime is highly recommended in case of deprecation, and for runtimes that have reached end-of-support or end-of-life. See the [functions runtimes lifecycle documentation](/serverless/functions/reference-content/functions-lifecycle/) for more information. +Upgrading a runtime is highly recommended in case of deprecation, and for runtimes that have reached end-of-support or end-of-life. Refer to the [functions runtimes lifecycle documentation](/serverless/functions/reference-content/functions-lifecycle/) for more information. diff --git a/faq/serverless-jobs.mdx b/faq/serverless-jobs.mdx index 185831cffb..2853a8b554 100644 --- a/faq/serverless-jobs.mdx +++ b/faq/serverless-jobs.mdx @@ -6,7 +6,7 @@ content: h1: Serverless Jobs hero: assets/serverless-jobs.webp dates: - validation: 2024-03-25 + validation: 2024-10-03 category: serverless --- @@ -83,12 +83,12 @@ Serverless Jobs are integrated with [Cockpit](/observability/cockpit/quickstart/ ## Can I cancel or modify a Serverless Job after it has started? -An ongoing Serverless Job can be interrupted during its execution from the **Job runs** section of a job's **Overview** tab. +An ongoing Serverless Job can be interrupted during its execution from the **Job runs** section of a job's **Overview** tab. Refer to the [dedicated docmentation](/serverless/jobs/how-to/stop-job/) for more information. ## How can I automate the deployment and management of Scaleway Serverless Jobs? Scaleway Serverless Jobs is part of the Scaleway ecosystem, it can therefore be driven using the [Scaleway CLI](/developer-tools/scaleway-cli/quickstart/), the [Scaleway API](https://www.scaleway.com/en/developers/api/), and other [developer tools](https://www.scaleway.com/en/developers/). Our serverless ecosystem offers a lot of possibilities with event-driven architectures, and integrations with more products of the Scaleway ecosystem are under active development. -## Do Serverless Jobs offer parallelization? +## Can I run multiple Serverless Jobs at the same time? -Not yet. Scaleway Serverless Jobs will soon offer parallelization via a `parallelism` parameter for each job. This will automatically launch a given number of replicas of the Job container in parallel. \ No newline at end of file +When starting a Job, you can use contextual options to define the number of jobs to execute at the same time. Refer to the [dedicated documentation](/serverless/jobs/how-to/run-job/#how-to-run-a-job-with-contextual-options) for more information. \ No newline at end of file diff --git a/faq/serverless-sql-databases.mdx b/faq/serverless-sql-databases.mdx index ebbe86b8aa..00b3e72313 100644 --- a/faq/serverless-sql-databases.mdx +++ b/faq/serverless-sql-databases.mdx @@ -14,7 +14,7 @@ category: serverless You are billed both for the compute resources provisioned and the storage used. You can see the cost estimate in the Database creation wizard. - - **Compute**: You are billed based on compute resources (vCPU and RAM) provisioned to handle your workload. Provisioned resources evolve according to the [autoscaling](/serverless/sql-databases/reference-content/serverless-sql-databases-overview/#autoscaling) parameter and stay between the minimum and maximum thresholds defined for your database. For each vCPU provisioned, 4 GB of RAM will be allocated. + - **Compute**: You are billed based on compute resources (vCPU and RAM) provisioned to handle your workload. Provisioned resources evolve according to the [autoscaling](/serverless/sql-databases/reference-content/serverless-sql-databases-overview/#autoscaling) parameter, and stay between the minimum and maximum thresholds defined for your database. For each vCPU provisioned, 4 GB of RAM will be allocated. - **Storage**: You are billed for the storage consumed by your database. Storage price is based on the size of your database (in GB) and includes 7 days of automated backups at no additional costs. Storage is always billed even if your database is in an active state or idle state. diff --git a/menu/navigation.json b/menu/navigation.json index 927e56196b..e10cc1101d 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -3949,12 +3949,16 @@ "label": "Manage user permissions for Serverless SQL Databases", "slug": "manage-permissions" }, + { + "label": "Use Row-Level Security on a database", + "slug": "use-row-level-security" + }, { "label": "Edit a Serverless SQL Database's autoscaling", "slug": "configure-autoscaling" }, { - "label": "How to manage backups for Serverless SQL Databases", + "label": "Manage backups for Serverless SQL Databases", "slug": "manage-backups" }, { @@ -3978,6 +3982,10 @@ { "label": "Securing connections using SSL/TLS", "slug": "secure-connection-ssl-tls" + }, + { + "label": "Using Row-Level Security with PostgREST", + "slug": "postgrest-row-level-security" } ], "label": "API/CLI", @@ -5333,4 +5341,4 @@ ], "label": "Additional Services" } -] \ No newline at end of file +] diff --git a/serverless/containers/how-to/add-a-custom-domain-to-a-container.mdx b/serverless/containers/how-to/add-a-custom-domain-to-a-container.mdx index 9fcff42888..7cce3a7700 100644 --- a/serverless/containers/how-to/add-a-custom-domain-to-a-container.mdx +++ b/serverless/containers/how-to/add-a-custom-domain-to-a-container.mdx @@ -7,7 +7,7 @@ content: paragraph: Add a custom domain to Scaleway Serverless Containers. tags: custom-domain container serverless cname record dates: - validation: 2024-03-27 + validation: 2024-10-03 posted: 2022-02-21 categories: - serverless @@ -81,7 +81,7 @@ HTTP-01 challenge failure (and by extension, a custom domain in `error` status) | DNS record is not available yet. | This can be the case if the custom domain is created immediately after the CNAME is configured on your DNS provider side. | As a rule of thumb, wait a few minutes after creating the CNAME on your DNS provider, or at least wait until the DNS record is available on main resolvers (`1.1.1.1`, `8.8.8.8`). | | DNS cache is stale (still pointing to an old endpoint). | If the custom domain was pointing to another endpoint before adding the CNAME record to the Serverless Container, and if the TTL is greater than the maximum time of the check (3 min), it can sometimes happen that the custom domain still resolves to the old endpoint, thus making the challenge fail. | Wait until DNS entry is available and use a smaller TTL. | | Negative DNS cache is stale | If the initial check fails (DNS record is not available yet), and the negative TTL configured on your DNS provider side is high, the negative TTL will prevent subsequent checks from querying the nameserver again, until it expires. Depending on the negative TTL configured, this can take more or less time. | Either reduce the negative TTL in your DNS provider configuration, or just wait until you are sure DNS record is available. If you already tried to add the custom domain and faced this issue, you likely have to wait for the negative TTL to expire before making another attempt (so the cache can also expire on our side). | -| Route `/.well-known/acme-challenge` is not handled correctly. | To perform the HTTP-01 challenge, a call will be made on `/.well-known/acme-challenge/`. If you are using a proxying/caching tool (like Cloudflare) between the custom domain and the Serverless Container endpoint, a cached version of that route can be served, making the check fails. | Don't configure caching rules for routes starting with `/.well-known/acme-challenge`. See an example below with Cloudflare. | +| Route `/.well-known/acme-challenge` is not handled correctly. | To perform the HTTP-01 challenge, a call will be made on `/.well-known/acme-challenge/`. If you are using a proxying/caching tool (like Cloudflare) between the custom domain and the Serverless Container endpoint, a cached version of that route can be served, making the check fails. | Do not configure caching rules for routes starting with `/.well-known/acme-challenge`. Rerfer to the example below with Cloudflare. | Example of configuration on Cloudflare to disable caching with "Cache rules": @@ -89,7 +89,7 @@ Example of configuration on Cloudflare to disable caching with "Cache rules": ## Migrating an active domain -Read this section if you are trying to migrate a domain that is already serving a live website/API/web application -- but not yet hosted on a Serverless Container -- and you are trying to migrate. +Read this section if you are trying to migrate a domain that is already serving a live website/API/web application, but not yet hosted on a Serverless Container. To clarify, let's take a concrete example: diff --git a/serverless/containers/reference-content/containers-concurrency.mdx b/serverless/containers/reference-content/containers-concurrency.mdx index 1a79eb58a6..fa8985ed8c 100644 --- a/serverless/containers/reference-content/containers-concurrency.mdx +++ b/serverless/containers/reference-content/containers-concurrency.mdx @@ -6,7 +6,7 @@ content: h1: Containers concurrency paragraph: Learn about concurrency settings for Scaleway Serverless Containers. dates: - validation: 2024-03-26 + validation: 2024-10-03 posted: 2024-03-26 tags: serverless containers concurrency concurrent execution scaling parallelism parallel instances categories: @@ -20,8 +20,6 @@ Concurrency determines the number of incoming requests a single instance of a co A higher number of instances processing requests at the same time implies a greater usage of memory and [vCPU](/serverless/containers/concepts/#vcpu), and consequently a higher cost. - - ## Maximum concurrent requests per instance When [deploying a container](/serverless/containers/how-to/deploy-a-container-from-scaleway-container-registry/), Scaleway Serverless Containers allows you to edit the **Maximum concurrent requests per instance** parameter. diff --git a/serverless/containers/reference-content/deploy-container.mdx b/serverless/containers/reference-content/deploy-container.mdx index c592c5cb3e..b39bde3199 100644 --- a/serverless/containers/reference-content/deploy-container.mdx +++ b/serverless/containers/reference-content/deploy-container.mdx @@ -6,7 +6,7 @@ content: h1: Methods to deploy Serverless Containers paragraph: Step-by-step guide to deploying a container on Scaleway. dates: - validation: 2024-03-27 + validation: 2024-10-03 posted: 2023-03-10 --- @@ -58,7 +58,7 @@ Installation instructions and documentation are available in the [Scaleway CLI r ## Scaleway SDKs -The Scaleway SDKs allow you to manage your resources directly from your favorite languages. +The Scaleway Software Development Kits (SDK) allow you to manage your resources directly from your favorite languages. The available SDKs are: diff --git a/serverless/functions/reference-content/local-testing.mdx b/serverless/functions/reference-content/local-testing.mdx index 403542def2..d576920a47 100644 --- a/serverless/functions/reference-content/local-testing.mdx +++ b/serverless/functions/reference-content/local-testing.mdx @@ -7,7 +7,7 @@ content: paragraph: Learn how to test your Serverless Functions locally before deployment on Scaleway. tags: functions serverless local testing dates: - validation: 2024-03-27 + validation: 2024-10-03 posted: 2023-03-06 categories: - serverless @@ -51,5 +51,5 @@ with different libraries available to your local development environment. Performance during local testing can differ from the deployed Serverless Functions environment, and will involve [limitations](/serverless/functions/reference-content/functions-limitations/) around resource usage and quotas. -CPU/Memory settings do not apply when testing functions locally. +CPU/memory settings do not apply when testing functions locally. diff --git a/serverless/jobs/reference-content/jobs-limitations.mdx b/serverless/jobs/reference-content/jobs-limitations.mdx index ab4b2d343e..7c42aa9fc1 100644 --- a/serverless/jobs/reference-content/jobs-limitations.mdx +++ b/serverless/jobs/reference-content/jobs-limitations.mdx @@ -7,7 +7,7 @@ content: paragraph: Learn the limitations of Scaleway Serverless Jobs. tags: Jobs limitations serverless dates: - validation: 2024-03-28 + validation: 2024-10-03 posted: 2021-03-28 categories: - serverless @@ -25,7 +25,7 @@ This section contains usage limits that apply when using Serverless Jobs. | Max ephemeral storage | 10 GB | Job run | | CPU max | 6 VCPU | Job run | | Memory max | 16 GB | Job run | -| timeout | 24h | Job run | +| Timeout | 24h | Job run | ## Default values for CPU and memory limits @@ -40,9 +40,9 @@ When the job vCPU and/or memory are not provided by the client, these default va Scaleway Serverless Jobs only supports `amd64` architecture for images. -For example, if you build an image using an ARM CPU, such as Apple Silicon, your image will be in the `arm64` architecture, and you will have an error message during deployment. +For example, if you build an image using an ARM CPU, such as Apple Silicon, your image will be using the `arm64` architecture, and you will have an error message during deployment. -You must ensure that you build your image to target `amd64` architecture. +You must ensure that you build your image to target the `amd64` architecture. ## Ports restrictions diff --git a/serverless/jobs/troubleshooting/common-errors.mdx b/serverless/jobs/troubleshooting/common-errors.mdx index 49425738d1..b8b6a0e9c7 100644 --- a/serverless/jobs/troubleshooting/common-errors.mdx +++ b/serverless/jobs/troubleshooting/common-errors.mdx @@ -7,7 +7,7 @@ content: paragraph: Troubleshoot common errors in Scaleway Serverless Jobs. tags: serverless jobs troubleshooting issue error message dates: - validation: 2024-03-28 +validation: 2024-10-03 posted: 2024-03-28 categories: - serveless diff --git a/serverless/sql-databases/api-cli/postgrest-row-level-security.mdx b/serverless/sql-databases/api-cli/postgrest-row-level-security.mdx new file mode 100644 index 0000000000..5b87e51272 --- /dev/null +++ b/serverless/sql-databases/api-cli/postgrest-row-level-security.mdx @@ -0,0 +1,135 @@ +--- +meta: + title: How to use Row-Level Security with PostgREST for Serverless SQL Databases + description: This page provides the steps to use Row-Level Security with PostGREST for Serverless SQL Databases +content: + h1: How to use Row-Level Security with PostgREST for Serverless SQL Databases + paragraph: This page provides the steps to use Row-Level Security with PostGREST for Serverless SQL Databases +tags: sql-databases serverless database row-level-security postgresql postgrest +dates: + validation: 2024-09-24 + posted: 2024-09-24 +categories: + - serverless +--- + +PostgREST's built-in Row Level Security based on users JWT relies either on [role impersonation](https://docs.postgrest.org/en/v12/references/auth.html#user-impersonation) or [transaction-scoped settings](https://docs.postgrest.org/en/v12/references/transactions.html#tx-settings). + +Due to connection pooling, Serverless SQL Databases currently only support transaction-scoped settings and requires using a single PostgreSQL role for all queries (the internal `role_readwrite` in PostgreSQL). + + + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- [Created a Serverless SQL Database](/serverless/sql-databases/how-to/create-a-database/) + +## How to add sample data and enable PostgreSQL Row Level Security + +1. [Connect to your Serverless SQL Database](/serverless/sql-databases/quickstart/#how-to-connect-to-a-database) with a PostgreSQL client such as `psql`: + ```bash + psql "postgres://[user-or-application-id]:[api-secret-key]@[database-hostname]:5432/[database-name]?sslmode=require" + ``` + +2. Add sample data to the database using the following command: + ```sql + CREATE TABLE pets (name varchar, keeper varchar, id int); + INSERT INTO pets VALUES ('Stuart','role_admin',1),('Nemo','role_admin',2),('Alfie','role_readwrite',3),('Peanut','role_readwrite',4); + ``` + +3. Run the command below to enable **Row Level Security**: + ```sql + ALTER TABLE pets ENABLE row level security; + ``` + +4. Run the command below to create a PostgreSQL policy so that users or applications connecting with `role_readwrite` can access a `pet` row only if its `keeper` column value is `role_readwrite`: + ```sql + CREATE POLICY pets_keeper ON pets TO role_readwrite USING (keeper = current_user); + ``` + +5. (Optional) Run the command below to check that you can see all the data with your current connection: + ```sql + SELECT * FROM pets; + ``` + All the data in the database displays, as you are connected with `role_admin`. + + + You can verify the current role you are connected with using the following command: + ```sql + SELECT current_user; + ``` + + +## How to use Row Level Security with PostgREST + +1. Install PostgREST by following the [official documentation](https://docs.postgrest.org/en/v12/tutorials/tut0.html#step-1-install-postgresql). + +2. Create a `tutorial.conf` file with the following content: + + ```json + db-uri = "postgres://[user-or-application-id]:[api-secret-key]@[database-hostname]:5432/[database-name]?sslmode=require" + db-schemas = "[your database schema]" + jwt-secret = "[your jwt secret]" + ``` + + Where: + - `db-uri` must use credentials with an [application](/identity-and-access-management/iam/how-to/create-application/) having **ServerlessSQLDatabaseDataReadWrite** permissions (not **ServerlessSQLDatabaseReadWrite** or **ServerlessSQLDatabaseFullAccess**) + - `db-schemas` is your database schema. Use `public` as a default value. + - `jwt-secret` is a token generated using the following command: + ```sh + openssl rand -base64 32 + ``` + +3. In a terminal, access the folder containing the `tutorial.conf` file, and run the command below to start a local PostgREST instance: + + ```bash + postgrest tutorial.conf + ``` + + + You can check that you can query your database by [generating a JWT](https://docs.postgrest.org/en/v12/tutorials/tut1.html#step-3-sign-a-token) with `{"role": "role_readwrite"}` as the payload data, then running the command below, where `$TOKEN` is your generated JWT: + ```bash + curl http://localhost:3000/pets \ + -H "Authorization: Bearer $TOKEN" + ``` + A list of pets displays. + + +4. Connect to your Serverless SQL Database with **ServerlessSQLDatabaseFullAccess** permissions, and run the following command to delete the `pets_keeper` policy previously applied to the `pets` table: + ```sql + DROP POLICY pets_keeper ON pets; + ``` + +5. Run the command below to create a new policy on the `pets` table: + ```sql + CREATE POLICY pets_keeper ON pets TO role_readwrite + USING (keeper = current_setting('request.jwt.claims', true)::json->>'user_type'); + ``` + This policy uses `current_setting` instead of `current_user`, and thus checks for additional fields contained by the JWT, and not only the `role` field. + +6. [Generate a JWT](https://docs.postgrest.org/en/v12/tutorials/tut1.html#step-3-sign-a-token) with the following payload data: + ```json + { + "role": "role_readwrite", + "user_type": "role_readwrite" + } + ``` + + Here, the `user_type` value from the JWT will be checked against the `keeper` column value in your database to authorize access. You can replace `"user_type": "role_readwrite"` with any alternative field name or value depending on your use case. However, you must keep `"role": "role_readwrite"` for any users you want to authenticate through PostgREST, because other roles (such as `role_admin`) have too many permissions and will be able to see any data. + + +7. Run the command below to query your database using the JWT you just created through PostgREST: + ```bash + curl http://localhost:3000/pets \ + -H "Authorization: Bearer $TOKEN" + ``` + A list of pets with a `role_readwrite` value for `keeper` displays. + + Your new application can now only access a specific subset of rows based on its permissions using transaction-scoped settings. + + + You can change your JWT payload data with `"user_type": "role_admin"` and see that only another set of rows will be displayed. + + To go further, try adding fields or values to filter, and edit your policy to filter and give your policy a more complex set of rules. Refer to the [official PostgREST](https://docs.postgrest.org/en/v12/explanations/db_authz.html) documentation for more information. + diff --git a/serverless/sql-databases/how-to/use-row-level-security.mdx b/serverless/sql-databases/how-to/use-row-level-security.mdx new file mode 100644 index 0000000000..b379dfa494 --- /dev/null +++ b/serverless/sql-databases/how-to/use-row-level-security.mdx @@ -0,0 +1,90 @@ +--- +meta: + title: How to use Row-Level Security with Serverless SQL Database + description: This page explains how to use Row-Level Security with Serverless SQL Databases +content: + h1: How to use Row-Level Security with Serverless SQL Database + paragraph: This page explains how to use Row-Level Security with Serverless SQL Databases +tags: sql-databases serverless database row-level-security postgresql postgrest +dates: + validation: 2024-09-24 + posted: 2024-09-24 +categories: + - serverless +--- + +Row-Level Security is a database security mechanism that allows access only to specific rows of a table based on a user's role or permissions. + +Row-Level Security can be activated with Serverless SQL Databases for a maximum of two different roles, having both read and write permissions. This can be used to restrict access to a subset of users with frameworks or tools such as [PostgREST](https://docs.postgrest.org/en/v12/). + +This requires setting up different [IAM permissions sets](/identity-and-access-management/iam/reference-content/permission-sets/) for each role (**ServerlessSQLDatabaseFullAccess** or **ServerlessSQLDatabaseReadWrite** for one role, and **ServerlessSQLDatabaseDataReadWrite** for the other). + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- [Created a Serverless SQL Database](/serverless/sql-databases/how-to/create-a-database/) + +## How to add sample data and enable PostgreSQL Row Level Security + +1. [Connect to your Serverless SQL Database](/serverless/sql-databases/quickstart/#how-to-connect-to-a-database) with a PostgreSQL client such as `psql`: + ```bash + psql "postgres://[user-or-application-id]:[api-secret-key]@[database-hostname]:5432/[database-name]?sslmode=require" + ``` + +2. Add sample data to the database using the following command: + ```sql + CREATE TABLE pets (name varchar, keeper varchar, id int); + INSERT INTO pets VALUES ('Stuart','role_admin',1),('Nemo','role_admin',2),('Alfie','role_readwrite',3),('Peanut','role_readwrite',4); + ``` + +3. Run the command below to enable **Row-Level Security**: + ```sql + ALTER TABLE pets ENABLE row level security; + ``` + +4. Run the command below to create a PostgreSQL policy so that users or applications connecting with `role_readwrite` can access a `pet` row only if its `keeper` column value is `role_readwrite`: + ```sql + CREATE POLICY pets_keeper ON pets TO role_readwrite USING (keeper = current_user); + ``` + +5. (Optional) Run the command below to check that you can see all the data with your current connection: + ```sql + SELECT * FROM pets; + ``` + All the data contained in the database displays, as you are connected with `role_admin`. + + + You can verify the current role you are connected with using the following command: + ```sql + SELECT current_user; + ``` + + +## How to create an IAM application with Row Level Security enabled + +1. Create a new [IAM application](/identity-and-access-management/iam/how-to/create-application/). + +2. Create a new [IAM policy](/identity-and-access-management/iam/how-to/create-policy/), and add the **ServerlessSQLDatabaseDataReadWrite** permission set to the application you just created. + + + You must provide **ServerlessSQLDatabaseDataReadWrite** permission set and not **ServerlessSQLDatabaseReadWrite** permission set. Indeed, all connections to your database performed with the former permissions set will use `role_readwrite` in PostgreSQL, whereas all connections performed with the latter, or **ServerlessSQLDatabaseFullAccess** will use `role_admin` in PostgreSQL. + + +3. Create an [API Key](/identity-and-access-management/iam/how-to/create-api-keys/) for this application, and connect to your Serverless SQL Database with this application. + ```bash + psql "postgres://[new-application-id]:[new-api-secret-key]@[database-hostname]:5432/[database-name]?sslmode=require" + ``` + +4. Run the following command to list the `pets` this application has access to: + ```sql + SELECT * FROM pets; + ``` + Only the pets with a `keeper` column value of `role_readwrite` display. Your new application can now only access a specific subset of rows based on its permissions. + + + Row-level security and policies can be created or deleted by a table owner. In this example, you can check the table owner with the following command: + ```sql + select * from pg_tables where tablename = 'pets'; + ``` + diff --git a/storage/object/how-to/access-objects-via-https.mdx b/storage/object/how-to/access-objects-via-https.mdx index 68acaccbc5..19c1a99044 100644 --- a/storage/object/how-to/access-objects-via-https.mdx +++ b/storage/object/how-to/access-objects-via-https.mdx @@ -7,7 +7,7 @@ content: paragraph: Securely access objects in Object Storage over HTTPS. tags: object storage object-storage download https dates: - validation: 2024-03-12 + validation: 2024-10-04 posted: 2023-09-05 categories: - storage @@ -35,5 +35,3 @@ If an object is public, you can retreive the link to access it from the [Scalewa To make the link to an object permanent, [change its visibility](/storage/object/how-to/manage-object-visibility/) to **public**. The link will work as long as the object is public. - -