postgresql.Role

PostgreSQL v3.16.3, Apr 10 26

Viewing docs for PostgreSQL v3.16.3
published on Friday, Apr 10, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-postgresql

Viewing docs for PostgreSQL v3.16.3
published on Friday, Apr 10, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-postgresql

When a postgresql.Role resource is removed, the PostgreSQL ROLE will automatically run a REASSIGN OWNED and DROP OWNED to the CURRENT_USER (normally the connected user for the provider). If the specified PostgreSQL ROLE owns objects in multiple PostgreSQL databases in the same PostgreSQL Cluster, one PostgreSQL provider per database must be created and all but the final postgresql.Role must specify a skipDropRole.

Note: All arguments including role name and password will be stored in the raw state as plain-text. Read more about sensitive data in state.

Note: For enhanced security, consider using the passwordWo and passwordWoVersion attributes instead of password. The write-only password attributes prevent the password from being stored in the Terraform state file while still allowing password management through version-controlled updates.

Usage

import * as pulumi from "@pulumi/pulumi";
import * as postgresql from "@pulumi/postgresql";

const myRole = new postgresql.Role("my_role", {
    name: "my_role",
    login: true,
    password: "mypass",
});
const myReplicationRole = new postgresql.Role("my_replication_role", {
    name: "replication_role",
    replication: true,
    login: true,
    connectionLimit: 5,
    password: "md5c98cbfeb6a347a47eb8e96cfb4c4b890",
});
// Example using write-only password (password not stored in state)
const secureRole = new postgresql.Role("secure_role", {
    name: "secure_role",
    login: true,
    passwordWo: "secure_password_123",
    passwordWoVersion: "1",
});

import pulumi
import pulumi_postgresql as postgresql

my_role = postgresql.Role("my_role",
    name="my_role",
    login=True,
    password="mypass")
my_replication_role = postgresql.Role("my_replication_role",
    name="replication_role",
    replication=True,
    login=True,
    connection_limit=5,
    password="md5c98cbfeb6a347a47eb8e96cfb4c4b890")
# Example using write-only password (password not stored in state)
secure_role = postgresql.Role("secure_role",
    name="secure_role",
    login=True,
    password_wo="secure_password_123",
    password_wo_version="1")

package main

import (
	"github.com/pulumi/pulumi-postgresql/sdk/v3/go/postgresql"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := postgresql.NewRole(ctx, "my_role", &postgresql.RoleArgs{
			Name:     pulumi.String("my_role"),
			Login:    pulumi.Bool(true),
			Password: pulumi.String("mypass"),
		})
		if err != nil {
			return err
		}
		_, err = postgresql.NewRole(ctx, "my_replication_role", &postgresql.RoleArgs{
			Name:            pulumi.String("replication_role"),
			Replication:     pulumi.Bool(true),
			Login:           pulumi.Bool(true),
			ConnectionLimit: pulumi.Int(5),
			Password:        pulumi.String("md5c98cbfeb6a347a47eb8e96cfb4c4b890"),
		})
		if err != nil {
			return err
		}
		// Example using write-only password (password not stored in state)
		_, err = postgresql.NewRole(ctx, "secure_role", &postgresql.RoleArgs{
			Name:              pulumi.String("secure_role"),
			Login:             pulumi.Bool(true),
			PasswordWo:        pulumi.String("secure_password_123"),
			PasswordWoVersion: pulumi.String("1"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using PostgreSql = Pulumi.PostgreSql;

return await Deployment.RunAsync(() => 
{
    var myRole = new PostgreSql.Index.Role("my_role", new()
    {
        Name = "my_role",
        Login = true,
        Password = "mypass",
    });

    var myReplicationRole = new PostgreSql.Index.Role("my_replication_role", new()
    {
        Name = "replication_role",
        Replication = true,
        Login = true,
        ConnectionLimit = 5,
        Password = "md5c98cbfeb6a347a47eb8e96cfb4c4b890",
    });

    // Example using write-only password (password not stored in state)
    var secureRole = new PostgreSql.Index.Role("secure_role", new()
    {
        Name = "secure_role",
        Login = true,
        PasswordWo = "secure_password_123",
        PasswordWoVersion = "1",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.postgresql.Role;
import com.pulumi.postgresql.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var myRole = new Role("myRole", RoleArgs.builder()
            .name("my_role")
            .login(true)
            .password("mypass")
            .build());

        var myReplicationRole = new Role("myReplicationRole", RoleArgs.builder()
            .name("replication_role")
            .replication(true)
            .login(true)
            .connectionLimit(5)
            .password("md5c98cbfeb6a347a47eb8e96cfb4c4b890")
            .build());

        // Example using write-only password (password not stored in state)
        var secureRole = new Role("secureRole", RoleArgs.builder()
            .name("secure_role")
            .login(true)
            .passwordWo("secure_password_123")
            .passwordWoVersion("1")
            .build());

    }
}

resources:
  myRole:
    type: postgresql:Role
    name: my_role
    properties:
      name: my_role
      login: true
      password: mypass
  myReplicationRole:
    type: postgresql:Role
    name: my_replication_role
    properties:
      name: replication_role
      replication: true
      login: true
      connectionLimit: 5
      password: md5c98cbfeb6a347a47eb8e96cfb4c4b890
  # Example using write-only password (password not stored in state)
  secureRole:
    type: postgresql:Role
    name: secure_role
    properties:
      name: secure_role
      login: true
      passwordWo: secure_password_123
      passwordWoVersion: '1'

Write-Only Password Management

The passwordWo and passwordWoVersion attributes provide a secure way to manage role passwords without storing them in the Terraform state file:

Security: The password value is never stored in the state file, reducing the risk of exposure
Version Control: Password updates are controlled through the passwordWoVersion attribute
Idempotency: Terraform only updates the password when the version changes, not on every apply

To change a password when using write-only attributes:

Update the passwordWo value with the new password
Increment or change the passwordWoVersion value
Apply the configuration

Example of password rotation:

import * as pulumi from "@pulumi/pulumi";
import * as postgresql from "@pulumi/postgresql";

// Initial password setup
const appUser = new postgresql.Role("app_user", {
    name: "app_user",
    login: true,
    passwordWo: "initial_password_123",
    passwordWoVersion: "1",
});

import pulumi
import pulumi_postgresql as postgresql

# Initial password setup
app_user = postgresql.Role("app_user",
    name="app_user",
    login=True,
    password_wo="initial_password_123",
    password_wo_version="1")

package main

import (
	"github.com/pulumi/pulumi-postgresql/sdk/v3/go/postgresql"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// Initial password setup
		_, err := postgresql.NewRole(ctx, "app_user", &postgresql.RoleArgs{
			Name:              pulumi.String("app_user"),
			Login:             pulumi.Bool(true),
			PasswordWo:        pulumi.String("initial_password_123"),
			PasswordWoVersion: pulumi.String("1"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using PostgreSql = Pulumi.PostgreSql;

return await Deployment.RunAsync(() => 
{
    // Initial password setup
    var appUser = new PostgreSql.Index.Role("app_user", new()
    {
        Name = "app_user",
        Login = true,
        PasswordWo = "initial_password_123",
        PasswordWoVersion = "1",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.postgresql.Role;
import com.pulumi.postgresql.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        // Initial password setup
        var appUser = new Role("appUser", RoleArgs.builder()
            .name("app_user")
            .login(true)
            .passwordWo("initial_password_123")
            .passwordWoVersion("1")
            .build());

    }
}

resources:
  # Initial password setup
  appUser:
    type: postgresql:Role
    name: app_user
    properties:
      name: app_user
      login: true
      passwordWo: initial_password_123
      passwordWoVersion: '1'

Create Role Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Role(name: string, args?: RoleArgs, opts?: CustomResourceOptions);

@overload
def Role(resource_name: str,
         args: Optional[RoleArgs] = None,
         opts: Optional[ResourceOptions] = None)

@overload
def Role(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         assume_role: Optional[str] = None,
         bypass_row_level_security: Optional[bool] = None,
         connection_limit: Optional[int] = None,
         create_database: Optional[bool] = None,
         create_role: Optional[bool] = None,
         encrypted: Optional[str] = None,
         encrypted_password: Optional[bool] = None,
         idle_in_transaction_session_timeout: Optional[int] = None,
         inherit: Optional[bool] = None,
         login: Optional[bool] = None,
         name: Optional[str] = None,
         password: Optional[str] = None,
         password_wo: Optional[str] = None,
         password_wo_version: Optional[str] = None,
         replication: Optional[bool] = None,
         roles: Optional[Sequence[str]] = None,
         search_paths: Optional[Sequence[str]] = None,
         skip_drop_role: Optional[bool] = None,
         skip_reassign_owned: Optional[bool] = None,
         statement_timeout: Optional[int] = None,
         superuser: Optional[bool] = None,
         valid_until: Optional[str] = None)

func NewRole(ctx *Context, name string, args *RoleArgs, opts ...ResourceOption) (*Role, error)

public Role(string name, RoleArgs? args = null, CustomResourceOptions? opts = null)

public Role(String name, RoleArgs args)
public Role(String name, RoleArgs args, CustomResourceOptions options)

type: postgresql:Role
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args RoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args RoleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args RoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args RoleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var roleResource = new PostgreSql.Role("roleResource", new()
{
    AssumeRole = "string",
    BypassRowLevelSecurity = false,
    ConnectionLimit = 0,
    CreateDatabase = false,
    CreateRole = false,
    EncryptedPassword = false,
    IdleInTransactionSessionTimeout = 0,
    Inherit = false,
    Login = false,
    Name = "string",
    Password = "string",
    PasswordWo = "string",
    PasswordWoVersion = "string",
    Replication = false,
    Roles = new[]
    {
        "string",
    },
    SearchPaths = new[]
    {
        "string",
    },
    SkipDropRole = false,
    SkipReassignOwned = false,
    StatementTimeout = 0,
    Superuser = false,
    ValidUntil = "string",
});

example, err := postgresql.NewRole(ctx, "roleResource", &postgresql.RoleArgs{
	AssumeRole:                      pulumi.String("string"),
	BypassRowLevelSecurity:          pulumi.Bool(false),
	ConnectionLimit:                 pulumi.Int(0),
	CreateDatabase:                  pulumi.Bool(false),
	CreateRole:                      pulumi.Bool(false),
	EncryptedPassword:               pulumi.Bool(false),
	IdleInTransactionSessionTimeout: pulumi.Int(0),
	Inherit:                         pulumi.Bool(false),
	Login:                           pulumi.Bool(false),
	Name:                            pulumi.String("string"),
	Password:                        pulumi.String("string"),
	PasswordWo:                      pulumi.String("string"),
	PasswordWoVersion:               pulumi.String("string"),
	Replication:                     pulumi.Bool(false),
	Roles: pulumi.StringArray{
		pulumi.String("string"),
	},
	SearchPaths: pulumi.StringArray{
		pulumi.String("string"),
	},
	SkipDropRole:      pulumi.Bool(false),
	SkipReassignOwned: pulumi.Bool(false),
	StatementTimeout:  pulumi.Int(0),
	Superuser:         pulumi.Bool(false),
	ValidUntil:        pulumi.String("string"),
})

var roleResource = new Role("roleResource", RoleArgs.builder()
    .assumeRole("string")
    .bypassRowLevelSecurity(false)
    .connectionLimit(0)
    .createDatabase(false)
    .createRole(false)
    .encryptedPassword(false)
    .idleInTransactionSessionTimeout(0)
    .inherit(false)
    .login(false)
    .name("string")
    .password("string")
    .passwordWo("string")
    .passwordWoVersion("string")
    .replication(false)
    .roles("string")
    .searchPaths("string")
    .skipDropRole(false)
    .skipReassignOwned(false)
    .statementTimeout(0)
    .superuser(false)
    .validUntil("string")
    .build());

role_resource = postgresql.Role("roleResource",
    assume_role="string",
    bypass_row_level_security=False,
    connection_limit=0,
    create_database=False,
    create_role=False,
    encrypted_password=False,
    idle_in_transaction_session_timeout=0,
    inherit=False,
    login=False,
    name="string",
    password="string",
    password_wo="string",
    password_wo_version="string",
    replication=False,
    roles=["string"],
    search_paths=["string"],
    skip_drop_role=False,
    skip_reassign_owned=False,
    statement_timeout=0,
    superuser=False,
    valid_until="string")

const roleResource = new postgresql.Role("roleResource", {
    assumeRole: "string",
    bypassRowLevelSecurity: false,
    connectionLimit: 0,
    createDatabase: false,
    createRole: false,
    encryptedPassword: false,
    idleInTransactionSessionTimeout: 0,
    inherit: false,
    login: false,
    name: "string",
    password: "string",
    passwordWo: "string",
    passwordWoVersion: "string",
    replication: false,
    roles: ["string"],
    searchPaths: ["string"],
    skipDropRole: false,
    skipReassignOwned: false,
    statementTimeout: 0,
    superuser: false,
    validUntil: "string",
});

type: postgresql:Role
properties:
    assumeRole: string
    bypassRowLevelSecurity: false
    connectionLimit: 0
    createDatabase: false
    createRole: false
    encryptedPassword: false
    idleInTransactionSessionTimeout: 0
    inherit: false
    login: false
    name: string
    password: string
    passwordWo: string
    passwordWoVersion: string
    replication: false
    roles:
        - string
    searchPaths:
        - string
    skipDropRole: false
    skipReassignOwned: false
    statementTimeout: 0
    superuser: false
    validUntil: string

Role Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Role resource accepts the following input properties:

AssumeRole string: Defines the role to switch to at login via SET ROLE.
BypassRowLevelSecurity bool: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
ConnectionLimit int: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
CreateDatabase bool: Defines a role's ability to execute CREATE DATABASE. Default value is false.
CreateRole bool: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
Encrypted string: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
EncryptedPassword bool: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
IdleInTransactionSessionTimeout int: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
Inherit bool: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
Login bool: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
Name string: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
Password string: Sets the role's password. A password is only of use for roles having the login attribute set to true.
PasswordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
PasswordWoVersion string: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
Replication bool: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
Roles List<string>: Defines list of roles which will be granted to this new role.
SearchPaths List<string>: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
SkipDropRole bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
SkipReassignOwned bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
StatementTimeout int: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
Superuser bool: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
ValidUntil string: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

AssumeRole string: Defines the role to switch to at login via SET ROLE.
BypassRowLevelSecurity bool: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
ConnectionLimit int: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
CreateDatabase bool: Defines a role's ability to execute CREATE DATABASE. Default value is false.
CreateRole bool: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
Encrypted string: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
EncryptedPassword bool: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
IdleInTransactionSessionTimeout int: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
Inherit bool: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
Login bool: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
Name string: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
Password string: Sets the role's password. A password is only of use for roles having the login attribute set to true.
PasswordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
PasswordWoVersion string: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
Replication bool: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
Roles []string: Defines list of roles which will be granted to this new role.
SearchPaths []string: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
SkipDropRole bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
SkipReassignOwned bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
StatementTimeout int: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
Superuser bool: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
ValidUntil string: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

assumeRole String: Defines the role to switch to at login via SET ROLE.
bypassRowLevelSecurity Boolean: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
connectionLimit Integer: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
createDatabase Boolean: Defines a role's ability to execute CREATE DATABASE. Default value is false.
createRole Boolean: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
encrypted String: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
encryptedPassword Boolean: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
idleInTransactionSessionTimeout Integer: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
inherit Boolean: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
login Boolean: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
name String: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
password String: Sets the role's password. A password is only of use for roles having the login attribute set to true.
passwordWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
passwordWoVersion String: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
replication Boolean: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
roles List<String>: Defines list of roles which will be granted to this new role.
searchPaths List<String>: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
skipDropRole Boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
skipReassignOwned Boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
statementTimeout Integer: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
superuser Boolean: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
validUntil String: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

assumeRole string: Defines the role to switch to at login via SET ROLE.
bypassRowLevelSecurity boolean: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
connectionLimit number: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
createDatabase boolean: Defines a role's ability to execute CREATE DATABASE. Default value is false.
createRole boolean: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
encrypted string: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
encryptedPassword boolean: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
idleInTransactionSessionTimeout number: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
inherit boolean: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
login boolean: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
name string: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
password string: Sets the role's password. A password is only of use for roles having the login attribute set to true.
passwordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
passwordWoVersion string: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
replication boolean: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
roles string[]: Defines list of roles which will be granted to this new role.
searchPaths string[]: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
skipDropRole boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
skipReassignOwned boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
statementTimeout number: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
superuser boolean: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
validUntil string: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

assume_role str: Defines the role to switch to at login via SET ROLE.
bypass_row_level_security bool: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
connection_limit int: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
create_database bool: Defines a role's ability to execute CREATE DATABASE. Default value is false.
create_role bool: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
encrypted str: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
encrypted_password bool: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
idle_in_transaction_session_timeout int: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
inherit bool: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
login bool: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
name str: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
password str: Sets the role's password. A password is only of use for roles having the login attribute set to true.
password_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
password_wo_version str: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
replication bool: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
roles Sequence[str]: Defines list of roles which will be granted to this new role.
search_paths Sequence[str]: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
skip_drop_role bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
skip_reassign_owned bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
statement_timeout int: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
superuser bool: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
valid_until str: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

assumeRole String: Defines the role to switch to at login via SET ROLE.
bypassRowLevelSecurity Boolean: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
connectionLimit Number: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
createDatabase Boolean: Defines a role's ability to execute CREATE DATABASE. Default value is false.
createRole Boolean: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
encrypted String: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
encryptedPassword Boolean: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
idleInTransactionSessionTimeout Number: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
inherit Boolean: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
login Boolean: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
name String: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
password String: Sets the role's password. A password is only of use for roles having the login attribute set to true.
passwordWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
passwordWoVersion String: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
replication Boolean: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
roles List<String>: Defines list of roles which will be granted to this new role.
searchPaths List<String>: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
skipDropRole Boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
skipReassignOwned Boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
statementTimeout Number: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
superuser Boolean: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
validUntil String: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

Outputs

All input properties are implicitly available as output properties. Additionally, the Role resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing Role Resource

Get an existing Role resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RoleState, opts?: CustomResourceOptions): Role

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        assume_role: Optional[str] = None,
        bypass_row_level_security: Optional[bool] = None,
        connection_limit: Optional[int] = None,
        create_database: Optional[bool] = None,
        create_role: Optional[bool] = None,
        encrypted: Optional[str] = None,
        encrypted_password: Optional[bool] = None,
        idle_in_transaction_session_timeout: Optional[int] = None,
        inherit: Optional[bool] = None,
        login: Optional[bool] = None,
        name: Optional[str] = None,
        password: Optional[str] = None,
        password_wo: Optional[str] = None,
        password_wo_version: Optional[str] = None,
        replication: Optional[bool] = None,
        roles: Optional[Sequence[str]] = None,
        search_paths: Optional[Sequence[str]] = None,
        skip_drop_role: Optional[bool] = None,
        skip_reassign_owned: Optional[bool] = None,
        statement_timeout: Optional[int] = None,
        superuser: Optional[bool] = None,
        valid_until: Optional[str] = None) -> Role

func GetRole(ctx *Context, name string, id IDInput, state *RoleState, opts ...ResourceOption) (*Role, error)

public static Role Get(string name, Input<string> id, RoleState? state, CustomResourceOptions? opts = null)

public static Role get(String name, Output<String> id, RoleState state, CustomResourceOptions options)

resources:  _:    type: postgresql:Role    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AssumeRole string: Defines the role to switch to at login via SET ROLE.
BypassRowLevelSecurity bool: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
ConnectionLimit int: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
CreateDatabase bool: Defines a role's ability to execute CREATE DATABASE. Default value is false.
CreateRole bool: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
Encrypted string: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
EncryptedPassword bool: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
IdleInTransactionSessionTimeout int: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
Inherit bool: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
Login bool: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
Name string: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
Password string: Sets the role's password. A password is only of use for roles having the login attribute set to true.
PasswordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
PasswordWoVersion string: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
Replication bool: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
Roles List<string>: Defines list of roles which will be granted to this new role.
SearchPaths List<string>: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
SkipDropRole bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
SkipReassignOwned bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
StatementTimeout int: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
Superuser bool: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
ValidUntil string: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

AssumeRole string: Defines the role to switch to at login via SET ROLE.
BypassRowLevelSecurity bool: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
ConnectionLimit int: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
CreateDatabase bool: Defines a role's ability to execute CREATE DATABASE. Default value is false.
CreateRole bool: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
Encrypted string: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
EncryptedPassword bool: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
IdleInTransactionSessionTimeout int: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
Inherit bool: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
Login bool: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
Name string: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
Password string: Sets the role's password. A password is only of use for roles having the login attribute set to true.
PasswordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
PasswordWoVersion string: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
Replication bool: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
Roles []string: Defines list of roles which will be granted to this new role.
SearchPaths []string: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
SkipDropRole bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
SkipReassignOwned bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
StatementTimeout int: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
Superuser bool: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
ValidUntil string: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

assumeRole String: Defines the role to switch to at login via SET ROLE.
bypassRowLevelSecurity Boolean: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
connectionLimit Integer: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
createDatabase Boolean: Defines a role's ability to execute CREATE DATABASE. Default value is false.
createRole Boolean: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
encrypted String: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
encryptedPassword Boolean: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
idleInTransactionSessionTimeout Integer: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
inherit Boolean: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
login Boolean: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
name String: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
password String: Sets the role's password. A password is only of use for roles having the login attribute set to true.
passwordWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
passwordWoVersion String: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
replication Boolean: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
roles List<String>: Defines list of roles which will be granted to this new role.
searchPaths List<String>: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
skipDropRole Boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
skipReassignOwned Boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
statementTimeout Integer: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
superuser Boolean: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
validUntil String: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

assumeRole string: Defines the role to switch to at login via SET ROLE.
bypassRowLevelSecurity boolean: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
connectionLimit number: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
createDatabase boolean: Defines a role's ability to execute CREATE DATABASE. Default value is false.
createRole boolean: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
encrypted string: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
encryptedPassword boolean: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
idleInTransactionSessionTimeout number: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
inherit boolean: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
login boolean: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
name string: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
password string: Sets the role's password. A password is only of use for roles having the login attribute set to true.
passwordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
passwordWoVersion string: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
replication boolean: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
roles string[]: Defines list of roles which will be granted to this new role.
searchPaths string[]: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
skipDropRole boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
skipReassignOwned boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
statementTimeout number: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
superuser boolean: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
validUntil string: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

assume_role str: Defines the role to switch to at login via SET ROLE.
bypass_row_level_security bool: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
connection_limit int: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
create_database bool: Defines a role's ability to execute CREATE DATABASE. Default value is false.
create_role bool: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
encrypted str: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
encrypted_password bool: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
idle_in_transaction_session_timeout int: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
inherit bool: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
login bool: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
name str: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
password str: Sets the role's password. A password is only of use for roles having the login attribute set to true.
password_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
password_wo_version str: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
replication bool: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
roles Sequence[str]: Defines list of roles which will be granted to this new role.
search_paths Sequence[str]: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
skip_drop_role bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
skip_reassign_owned bool: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
statement_timeout int: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
superuser bool: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
valid_until str: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

assumeRole String: Defines the role to switch to at login via SET ROLE.
bypassRowLevelSecurity Boolean: Defines whether a role bypasses every row-level security (RLS) policy. Default value is false.
connectionLimit Number: If this role can log in, this specifies how many concurrent connections the role can establish. -1 (the default) means no limit.
createDatabase Boolean: Defines a role's ability to execute CREATE DATABASE. Default value is false.
createRole Boolean: Defines a role's ability to execute CREATE ROLE. A role with this privilege can also alter and drop other roles. Default value is false.
encrypted String: Deprecated: Rename PostgreSQL role resource attribute "encrypted" to "encryptedPassword"
encryptedPassword Boolean: Defines whether the password is stored encrypted in the system catalogs. Default value is true. NOTE: this value is always set (to the conservative and safe value), but may interfere with the behavior of PostgreSQL's passwordEncryption setting.
idleInTransactionSessionTimeout Number: Terminate any session with an open transaction that has been idle for longer than the specified duration in milliseconds
inherit Boolean: Defines whether a role "inherits" the privileges of roles it is a member of. Default value is true.
login Boolean: Defines whether role is allowed to log in. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default value is false.
name String: The name of the role. Must be unique on the PostgreSQL server instance where it is configured.
password String: Sets the role's password. A password is only of use for roles having the login attribute set to true.
passwordWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Sets the role's password without storing it in the state file. This is useful for managing passwords securely. Must be used together with passwordWoVersion. Conflicts with password.
passwordWoVersion String: Prevents applies from updating the role password on every apply unless the value changes. This version string should be updated whenever you want to change the password specified in passwordWo. Must be used together with passwordWo. Conflicts with password.
replication Boolean: Defines whether a role is allowed to initiate streaming replication or put the system in and out of backup mode. Default value is false
roles List<String>: Defines list of roles which will be granted to this new role.
searchPaths List<String>: Alters the search path of this new role. Note that due to limitations in the implementation, values cannot contain the substring ", ".
skipDropRole Boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, the cleanup of ownership of objects in each of the respective databases must occur before the ROLE can be dropped from the catalog. Set this option to true when there are multiple databases in a PostgreSQL cluster using the same PostgreSQL ROLE for object ownership. This is the third and final step taken when removing a ROLE from a database.
skipReassignOwned Boolean: When a PostgreSQL ROLE exists in multiple databases and the ROLE is dropped, a REASSIGN OWNED in must be executed on each of the respective databases before the DROP ROLE can be executed to drop the ROLE from the catalog. This is the first and second steps taken when removing a ROLE from a database (the second step being an implicit DROP OWNED).
statementTimeout Number: Defines statementTimeout setting for this role which allows to abort any statement that takes more than the specified amount of time.
superuser Boolean: Defines whether the role is a "superuser", and therefore can override all access restrictions within the database. Default value is false.
validUntil String: Defines the date and time after which the role's password is no longer valid. Established connections past this validTime will have to be manually terminated. This value corresponds to a PostgreSQL datetime. If omitted or the magic value NULL is used, validUntil will be set to infinity. Default is NULL, therefore infinity.

Import

Example

postgresql.Role supports importing resources. Supposing the following Terraform:

import * as pulumi from "@pulumi/pulumi";
import * as postgresql from "@pulumi/postgresql";

const replicationRole = new postgresql.Role("replication_role", {name: "replication_name"});

import pulumi
import pulumi_postgresql as postgresql

replication_role = postgresql.Role("replication_role", name="replication_name")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using PostgreSql = Pulumi.PostgreSql;

return await Deployment.RunAsync(() => 
{
    var replicationRole = new PostgreSql.Index.Role("replication_role", new()
    {
        Name = "replication_name",
    });

});

package main

import (
	"github.com/pulumi/pulumi-postgresql/sdk/v3/go/postgresql"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := postgresql.NewRole(ctx, "replication_role", &postgresql.RoleArgs{
			Name: pulumi.String("replication_name"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.postgresql.Role;
import com.pulumi.postgresql.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var replicationRole = new Role("replicationRole", RoleArgs.builder()
            .name("replication_name")
            .build());

    }
}

resources:
  replicationRole:
    type: postgresql:Role
    name: replication_role
    properties:
      name: replication_name

It is possible to import a postgresql.Role resource with the following command:

$ terraform import postgresql_role.replication_role replication_name

Where replicationName is the name of the role to import and postgresql_role.replication_role is the name of the resource whose state will be populated as a result of the command.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: PostgreSQL pulumi/pulumi-postgresql
License: Apache-2.0
Notes: This Pulumi package is based on the postgresql Terraform Provider.

Viewing docs for PostgreSQL v3.16.3
published on Friday, Apr 10, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-postgresql

On this page

On this page

Usage

Write-Only Password Management

Create Role Resource

Constructor syntax

Parameters

Constructor example

Role Resource Properties

Inputs

Outputs

Look up Existing Role Resource

Import

Package Details

On this page

On this page