Skip to main content

Set up PostgreSQL

Who can do this?

You will probably need your PostgreSQL administrator to run these commands - you may not have access yourself.

Create a database role

To configure a database role for PostgreSQL, run the following commands:

CREATE role atlan_user_role;
GRANT USAGE ON SCHEMA <schema> TO atlan_user_role;
  • Replace <schema> with the schema to which the user should have access.
danger

You (or your administrator) will need to run these statements for each database and schema you want to crawl.

Atlan requires the following privileges:

  • USAGE:
    • Access a schema and fetch metadata. By default, users cannot access any objects in schemas that they do not own. The owner of a schema must grant the USAGE privilege on the schema to allow access.
    • Fetch the technical metadata persisted in the INFORMATION_SCHEMA.

These permissions enables Atlan to crawl metadat from PostgreSQL.

(Optional) Grant permissions to query and preview data

To grant permissions to query data and preview sample data:

 GRANT SELECT, REFERENCES ON ALL TABLES IN SCHEMA schema_name TO atlan_user_role;
  • Replace schema_name: Name of the schema you want Atlan to access.
  • Replace atlan_user_role: Role assigned to Atlan in your database.

TheSELECT privilege is required to preview and query data from within Atlan.

Choose authentication mechanism

Atlan currently supports the following authentication mechanisms. You will need to choose one and configure it according to the steps below.

Basic authentication

To create a username and password for basic authentication for PostgreSQL run the following commands:

CREATE USER atlan_user password '<pass>';
GRANT atlan_user_role TO atlan_user;
  • Replace <pass> with the password for the atlan_user user you are creating.

Identity and Access Management (IAM) authentication

To configure IAM authentication for PostgreSQL follow each of these steps.

Enable IAM authentication

To enable IAM authentication for your database instance follow the steps in the Amazon RDS documentation.

When given the option, apply the changes immediately and wait until they are complete.

Create database user

To create a database user with the necessary permissions run the following commands:

  1. Connect to the database:

    psql -h {{endpoint}} -U {{username}} -d {{database}}
    • Replace {{endpoint}} with the database or cluster endpoint.
    • Replace {{username}} with the master username (admin account) for the database.
    • Replace {{database}} with the name of the database.

  2. Create a database user:

    CREATE USER {{db-username}} WITH LOGIN; 
    GRANT atlan_user_role, rds_iam TO {{db-username}};
    • Replace {{db-username}} with the name for the database user to create.

Create IAM policy

To create an IAM policy with the necessary permissions follow the steps in the AWS Identity and Access Management User Guide.

Create the policy using the following JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": [
        "arn:aws:rds-db:{{aws-region}}:{{account-id}}:dbuser:{{resource-id}}/{{db-username}}"
      ]
    }
  ]
}
  • Replace {{aws-region}} with the AWS region of your database instance.
  • Replace {{account-id}} with your account ID.
  • Replace {{resource-id}} with the resource ID.
  • Replace {{db-username}} with the username created in the previous step.

Attach IAM policy

To attach the IAM policy for Atlan's use, you have two options:

  • IAM role: Create a new role in your AWS account and attach the policy to this role. To create an AWS IAM role:

    1. Follow the steps in the AWS Identity and Access Management User Guide.

    2. When prompted for policies, attach the policy created in the previous step to this role.

    3. Raise a support ticket to provide the AWS IAM role ARN to Atlan and get the ARN of the Node Instance Role for your Atlan EKS cluster from Atlan.

    4. When prompted, create a trust relationship for the role using the following trust policy. (Replace <atlan_nodeinstance_role_arn> with the ARN received from Atlan support.)

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {"AWS": "<atlan_nodeinstance_role_arn>"},
            "Action": "sts:AssumeRole",
          }
        ]
      }
  • IAM user: Create an AWS IAM user and attach the policy to this user. To create an AWS IAM user:

    1. Follow the steps in the AWS Identity and Access Management User Guide.

    2. On the Set permissions page, attach the policy created in the previous step to this user.

    3. Once the user is created, view or download the user's access key ID and secret access key.

      danger

      This will be your only opportunity to view or download the access keys. You will not have access to them again after leaving the user creation screen.