Skip to content

docs: update AWS RDS IAM Auth instructions #1421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: update AWS RDS IAM Auth instructions #1421

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions docs/admin/external_services/postgres.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ In order to enable IAM Auth, you first need to:
- For EKS (k8s deployment), use [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
- For EC2 (docker-compose deployment), use [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)

For [every services that require postgres database connection](https://github.com/sourcegraph/sourcegraph-public-snapshot/blob/main/lib/servicecatalog/service-catalog.yaml), ensure below environment variables are configured:
Configure the following environment variables for the **`sourcegraph-frontend`** service (or all `sourcegraph-frontend-*` services in Docker Compose deployments):

- `PG_CONNECTION_UPDATER=EC2_ROLE_CREDENTIALS`
- `PGSSLMODE=require`
Expand All @@ -131,15 +131,20 @@ For [every services that require postgres database connection](https://github.co
- `PGUSER=<>` - this should be the database accounts created above
- `PGDATABASE=<>`
- `CODEINTEL_PGSSLMODE=require`
- `CODEINTEL_PGHOST=<>`
- `CODEINTEL_PGPORT=<>`
- `CODEINTEL_PGUSER=<>` this should be the database accounts created above
- `CODEINTEL_PGUSER=<>` - this should be the database accounts created above
- `CODEINTEL_PGDATABASE=<>`
- `CODEINSIGHTS_PGSSLMODE=require`
- `CODEINSIGHTS_PGHOST=<>`
- `CODEINSIGHTS_PGPORT=<>`
- `CODEINSIGHTS_PGUSER=<>` this should be the database accounts created above
- `CODEINSIGHTS_PGUSER=<>` - this should be the database accounts created above
- `CODEINSIGHTS_PGDATABASE=<>`

**Optional:** If your workloads are in a specific AWS Region and you want to use regional STS endpoints for improved latency and resiliency, also set:

- `AWS_STS_REGIONAL_ENDPOINTS=regional` - This configures the AWS SDK to use regional STS endpoints (e.g., `sts.us-west-2.amazonaws.com`) instead of the global endpoint (`sts.amazonaws.com`). This is recommended for better performance and resilience. See [AWS documentation](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html) for more details.

## Usage with PgBouncer

[PgBouncer] is a lightweight connections pooler for PostgreSQL. It allows more clients to connect with the PostgreSQL database without running into connection limits.
Expand Down