This document summarizes the privileges required for different pgstream operations in PostgreSQL. It is service-agnostic, focusing only on what pgstream itself requires.
For cloud-provider-specific instructions and constraints, please see:
- Xata Onboarding Guide
- AWS Onboarding Guide
- Google Cloud (CloudSQL) Onboarding Guide
- Neon Onboarding Guide
| Mode | Role | Required Privileges | Notes |
|---|---|---|---|
| Snapshot (Source) | pgstreamsource |
- Read-only access to schemas/tables being snapshotted - (Optional) Read access to pg_authid (if snapshotting roles with passwords) |
Example grants: GRANT pg_read_all_settings TO pgstreamsource; GRANT SELECT ON pg_authid TO pgstreamsource; |
| Snapshot (Target) | pgstreamtarget |
- Ownership of database & schemas - (Optional) CREATEDB (if creating target databases) - (Optional) CREATEROLE (if restoring roles) - (Optional) Ability to SET session_replication_role (if disabling triggers during load) |
Role must already hold any privileges it assigns when creating other roles. |
| Replication (Source, Initialization) | Initialization user (e.g., postgres) |
- Ability to create schemas, event triggers, and functions - Replication privileges ( REPLICATION) |
Requires elevated privileges because event triggers must be created. |
| Replication (Source, Streaming) | pgstreamsource |
- Ownership of replicated database, schemas, and pgstream objects - Replication privileges ( REPLICATION) |
Can be a more restricted role than the initialization user. |
| Replication (Target) | pgstreamtarget |
- Ownership of database & schemas - Ability to apply DML and DDL changes |
If combined with snapshot, also meet snapshot target requirements. |
ℹ️ Terminology:
pgstreamsource→ user defined in the pgstream source URLpgstreamtarget→ user defined in the pgstream target URL