Getting started with Databases for PostgreSQL
This tutorial guides you through the steps to quickly start by using Databases for PostgreSQL by provisioning an instance, setting up pgAdmin, setting your Admin password, and setting up logging and monitoring.
Follow these steps to complete the tutorial:
- Before you begin
- Step 1: Provision through the console
- Step 2: Set your Admin password through the console
- Step 3: Set up pgAdmin
- Step 4: Set up context-based restrictions
- Step 5: Connect IBM Cloud Monitoring
- Step 6: Connect IBM Cloud® Activity Tracker Event Routing
- Next Steps
Follow these steps to complete the tutorial:
- Before you begin
- Step 1: Provision through the CLI
- Step 2: Set your Admin password through the CLI
- Step 3: Set up pgAdmin
- Step 4: Set up context-based restrictions
- Step 5: Connect IBM Cloud Monitoring
- Step 6: Connect IBM Cloud® Activity Tracker Event Routing}
- Next Steps
Follow these steps to complete the tutorial:
- Before you begin
- Step 1: Provision through the API
- Step 2: Set your Admin password
- Step 3: Set up pgAdmin
- Step 4: Set up context-based restrictions
- Step 5: Connect IBM Cloud Monitoring
- Step 6: Connect IBM Cloud® Activity Tracker
- Next Steps
Follow these steps to complete the tutorial:
- Before you begin
- Step 1: Provision through Terraform
- Step 2: Set your Admin password
- Step 3: Set up pgAdmin
- Step 4: Set up context-based restrictions
- Step 5: Connect IBM Cloud Monitoring
- Step 6: Connect IBM Cloud® Activity Tracker Event Routing
- Next Steps
Before you begin
- You need an IBM Cloud account.
Step 1: Provision through the console
-
Log in to the IBM Cloud console.
-
Click the Databases for PostgreSQL service in the catalog.
-
In Service details, configure the following:
- Service name - The name can be any string and is the name that is used on the web and in the CLI to identify the new deployment.
- Resource group - If you are organizing your services into resource groups, specify the resource group in this field. Otherwise, you can leave it at default. For more information, see Managing resource groups.
- Location - The deployment's public cloud region or Satellite location.
-
Resource allocation - Specify the initial RAM, disk, and cores for your databases. The minimum sizes of memory and disk are selected by default. With dedicated cores, your resource group is given a single-tenant host with a minimum reserve of CPU shares. Your deployments are then allocated the number of cores that you specify. Once provisioned, disk cannot be scaled down.
-
In Service configuration, configure the following:
- Database version Set only at deployment - The deployment version of your database. To ensure optimal performance, run the preferred version. The latest minor version is used automatically. For more information, see Database Versioning Policy.
- Encryption - If you use Key Protect, an instance and key can be selected to encrypt the deployment's disk. If you do not use your own key, the deployment automatically creates and manages its own disk encryption key.
- Endpoints Set only at deployment - Configure the Service Endpoints on your deployment.
After you configure the appropriate settings, click Create to start the provisioning process. The Databases for PostgreSQL Resource list page opens.
-
Click Create. The Cloud Databases Resource list page opens.
-
When your instance has been provisioned, click the instance name to view more information.
Step 1: Provision through the CLI
You can provision a Databases for PostgreSQL instance through the CLI. If you don't already have it, you need to install the IBM Cloud CLI.
-
Log in to IBM Cloud with the following command:
ibmcloud login
If you use a federated user ID, it's important that you switch to a one-time passcode (
ibmcloud login --sso
), or use an API key (ibmcloud --apikey key
or@key_file
) to authenticate. For more information about how to log in using the CLI, see General CLI (ibmcloud) commands underibmcloud login
. -
Create a Databases for PostgreSQL instance.
Select one of the following methods:
-
To create an instance from the CLI on the Enterprise plan, run the following command:
ibmcloud resource service-instance-create <INSTANCE_NAME> <SERVICE_NAME> <SERVICE_PLAN_NAME> <LOCATION> <SERVICE_ENDPOINTS_TYPE> <RESOURCE_GROUP>
The fields in the command are described in the table that follows.
Basic command format fields Field Description Flag NAME
RequiredThe instance name can be any string and is the name that is used on the web and in the CLI to identify the new deployment. SERVICE_NAME
RequiredName or ID of the service. For Databases for PostgreSQL, use databases-for-postgresql
.SERVICE_PLAN_NAME
RequiredStandard plan ( standard
)LOCATION
RequiredThe location where you want to deploy. To retrieve a list of regions, use the ibmcloud regions
command.SERVICE_ENDPOINTS_TYPE
Configure the Service Endpoints of your deployment, either public
orprivate
. The default value ispublic
.RESOURCE_GROUP
The Resource group name. The default value is default
.-g --parameters
JSON file or JSON string of parameters to create service instance -p You see a response like:
Creating service instance INSTANCE_NAME in resource group default of account USER... OK Service instance INSTANCE_NAME was created. Name: INSTANCE_NAME ID: crn:v1:bluemix:public:databases-for-postgresql:us-east:a/ 40ddc34a846383BGB5b60e:dd13152c-fe15-4bb6-af94-fde0af5303f4:: GUID: dd13152c-fe15-4bb6-af94-fde0af56897 Location: LOCATION State: provisioning Type: service_instance Sub Type: Public Service Endpoints: public Allow Cleanup: false Locked: false Created at: 2023-06-26T19:42:07Z Updated at: 2023-06-26T19:42:07Z Last Operation: Status create in progress Message Started create instance operation
-
-
To check provisioning status, use the following command:
ibmcloud resource service-instance <INSTANCE_NAME>
When complete, you see a response like:
Retrieving service instance INSTANCE_NAME in resource group default under account USER's Account as USER... OK Name: INSTANCE_NAME ID: crn:v1:bluemix:public:databases-for-postgresql:us-east:a/40ddc34a953a8c02f109835656860e:dd13152c-fe15-4bb6-af94-fde0af5303f4:: GUID: dd13152c-fe15-4bb6-af94-fde5654765 Location: <LOCATION> Service Name: databases-for-postgresql Service Plan Name: standard Resource Group Name: default State: active Type: service_instance Sub Type: Public Locked: false Service Endpoints: public Created at: 2023-06-26T19:42:07Z Created by: USER Updated at: 2023-06-26T19:53:25Z Last Operation: Status create succeeded Message Provisioning PostgreSQL with version 12 (100%)
-
(Optional) Deleting a service instance Delete an instance by running a command like this one:
ibmcloud resource service-instance-delete <INSTANCE_NAME>
Connect to your database with the CLI
Find the appropriate commands to connect to your database from the CLI in Cloud Databases CLI Reference and Connecting with psql.
The ibmcloud cdb deployment-connections
command handles everything that is involved in creating a CLI connection. For example, to connect to a deployment named "example-postgres", use a command like:
ibmcloud cdb deployment-connections example-postgres --start
The command prompts for the admin password and then runs the psql
CLI to connect to the database. To install the Cloud Databases plug-in, see Connecting with psql documentation here.
The --parameters
parameter
The service-instance-create
command supports a -p
flag, which allows JSON-formatted parameters to be passed to the provisioning process. Some parameter values are Cloud Resource Names (CRNs), which uniquely identify
a resource in the cloud. All parameter names and values are passed as strings.
For example, if a database is being provisioned from a particular backup and the new database deployment needs a total of 9 GB of memory across three members, then the command to provision 3 GBs per member looks like:
ibmcloud resource service-instance-create databases-for-postgresql <SERVICE_NAME> standard us-south \
-p \ '{
"backup_id": "crn:v1:blue:public:databases-for-postgresql:us-south:a/54e8ffe85dcedf470db5b5ee6ac4a8d8:1b8f53db-fc2d-4e24-8470-f82b15c71717:backup:06392e97-df90-46d8-98e8-cb67e9e0a8e6",
"members_memory_allocation_mb": "3072"
}'
Step 1: Provision through the resource controller API
Follow these steps to provision by using the resource controller API.
-
Obtain an IAM token from your API token.
-
You need to know the ID of the resource group that you would like to deploy to. This information is available through the IBM Cloud CLI.
Use a command like:
ibmcloud resource groups
-
You need to know the region that you would like to deploy into.
To list all of the regions that deployments can be provisioned into from the current region, use the Cloud Databases CLI plug-in.
The command looks like:
ibmcloud cdb regions --json
Once you have all the information, provision a new resource instance with the IBM Cloud resource controller.
curl -X POST \ https://resource-controller.cloud.ibm.com/v2/resource_instances \ -H 'Authorization: Bearer <>' \ -H 'Content-Type: application/json' \ -d '{ "name": "my-instance", "target": "blue-us-south", "resource_group": "5g9f447903254bb58972a2f3f5a4c711", "resource_plan_id": "databases-for-postgresql-standard" }'
The parameters
name
,target
,resource_group
, andresource_plan_id
are all required.
List of Additional Parameters
-
backup_id
- A CRN of a backup resource to restore from. The backup must be created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the formatcrn:v1:<...>:backup:<uuid>
. If omitted, the database is provisioned empty. -
version
- The version of the database to be provisioned. If omitted, the database is created with the most recent major and minor version. -
disk_encryption_key_crn
- The CRN of a KMS key (for example, Hyper Protect Crypto Services or Key Protect), which is then used for disk encryption. A KMS key CRN is in the formatcrn:v1:<...>:key:<id>
. -
backup_encryption_key_crn
- The CRN of a KMS key (for example, Hyper Protect Crypto Services or Key Protect), which is then used for backup encryption. A KMS key CRN is in the formatcrn:v1:<...>:key:<id>
.To use a key for your backups, you must first enable the service-to-service delegation.
-
members_memory_allocation_mb
- Total amount of memory to be shared between the database members within the database. For example, if the value is "6144", and there are three database members, then the deployment gets 6 GB of RAM total, giving 2 GB of RAM per member. If omitted, the default value is used for the database type is used. -
members_disk_allocation_mb
- Total amount of disk to be shared between the database members within the database. For example, if the value is "30720", and there are three members, then the deployment gets 30 GB of disk total, giving 10 GB of disk per member. If omitted, the default value for the database type is used. -
members_cpu_allocation_count
- Enables and allocates the number of specified dedicated cores to your deployment. For example, to use two dedicated cores per member, use"members_cpu_allocation_count":"2"
. If omitted, the default value "Shared CPU" uses compute resources on shared hosts. -
service-endpoints
- The Service Endpoints supported on your deployment,public
orprivate
.
Step 1: Provision through Terraform
Use Terraform to manage your infrastructure through the ibm_database
Resource for Terraform.
Using APIs
Use the Cloud Databases API to work with your Databases for PostgreSQL instance. The resource controller API is used to provision an instance.
Step 2: Set the Admin password
The admin user
When you provision a Databases for PostgreSQL deployment, an Admin user is automatically created.
Set the admin password before using it to connect.
When you provision a new deployment in IBM Cloud, you are automatically given an admin
user to access and manage PostgreSQL. Once you set the admin password,
use it to connect to your deployment.
When admin
creates a resource in a database, like a table, admin
owns that object. Resources that are created by admin
are not accessible by other users, unless you expressly grant permissions to them.
The biggest difference between the admin
user and any other users you add to your deployment is the pg_monitor
and pg_signal_backend
roles. The pg_monitor
role provides a set of permissions that makes the admin user appropriate for monitoring the database server. The pg_signal_backend
role provides
the admin user the ability to send signals to cancel queries and connections that are initiated by other users. It is not able to send signals to processes owned by superusers.
You can also use the admin
user to grant these two roles to other users on your deployment.
To expose the ability to cancel queries to other database users, grant the pg_signal_backend
role from the admin
user. Use a command like:
GRANT pg_signal_backend TO joe;
To allow the user joe
to cancel backends, grant pg_signal_backend
to all the users with the ibm-cloud-base-user
role with a command like:
GRANT pg_signal_backend TO "ibm-cloud-base-user";
This privilege allows the user or users to terminate any connections to the database.
To set up a specific monitoring user, mary
, use a command like:
GRANT pg_monitor TO mary;
Grant pg_signal_backend
to all the users with the ibm-cloud-base-user
role with a command like:
GRANT pg_monitor TO "ibm-cloud-base-user";
Setting the Admin Password in the UI
Set your Admin Password through the UI by selecting your instance from the Resource List in the IBM Cloud Dashboard. Then, select Settings. Next, select Change Database Admin Password.
Set the Admin password through the CLI
Use the cdb user-password
command from the IBM Cloud CLI Cloud Databases plug-in to set the admin password.
For example, to set the admin password for a deployment named example-deployment
, use the following command:
ibmcloud cdb user-password example-deployment admin <newpassword>
Set the Admin password through the API
The Foundation Endpoint that is shown in the Overview Deployment Details section of your service provides the base URL to access this deployment through the API. Use it with the Set specified user's password endpoint to set the admin password.
curl -X PATCH `https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/admin` \
-H `Authorization: Bearer <>` \
-H `Content-Type: application/json` \
-d `{"password":"newrootpasswordsupersecure21"}` \
Set the Admin password through Terraform
To set the Admin password, use the API:
The Foundation Endpoint that is shown in the Overview Deployment Details section of your service provides the base URL to access this deployment through the API. Use it with the Set specified user's password endpoint to set the admin password.
curl -X PATCH `https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/admin` \
-H `Authorization: Bearer <>` \
-H `Content-Type: application/json` \
-d `{"password":"newrootpasswordsupersecure21"}` \
You can also use the CLI:
Use the cdb user-password
command from the IBM Cloud CLI Cloud Databases plug-in to set the admin password.
For example, to set the admin password for a deployment named example-deployment
, use the following command:
ibmcloud cdb user-password example-deployment admin <newpassword>
To set the Admin password through the UI, follow these steps:
Set your Admin password through the UI by selecting your instance from the Resource List in the IBM Cloud Dashboard. Then, select Settings. Next, select Change Database Admin password.
Step 3: Set up pgAdmin
pgAdmin runs as a server and you connect to it through a browser. When the server is started, it runs on localhost, at default http://127.0.0.1:53113/browser/
.
When you first open pgAdmin, you get a prompt for setting a primary password. This password is different from your instance's password as it is used specifically for pgAdmin to store passwords to your PostgreSQL servers or PostgreSQL instance.
The Dashboard panel has a Welcome screen. From the Quick links, click Add new server.
On your instance's Overview page, there is an Endpoints panel with all the relevant connection information.
Back in pgAdmin, provide pgAdmin with the information it needs to connect to your instance.
First, complete the Connection information,
- For Host name/address, use the Hostname of your instance.
- For the Port, use the Port of your instance.
- The Maintenance database remains
postgres
. - For Username and Password, use the
admin
credentials that you set after provisioning your instance. You can choose for pgAdmin to save the password. - The Role and Service fields can be left empty.
Then, configure the SSL settings.
- Copy the certificate information from the Endpoints panel in your instance's
Dashboard overview
page. - Save the certificate to a file. (You can use the name that is provided in the download, or your own file name.)
- Set the SSL mode field to Verify-Full.
- In the Root certificate field, select the file where you saved your instance's certificate.
Back on the General tab, give your instance a name and add any comments that you want to describe or identify your instance in pgAdmin.
If the Connect now? field is checked, pgAdmin attempts to connect to your instance when you click the Save button.
Use pgAdmin
Once pgAdmin connects, your instance appears in the Servers list and you get a Dashboard with information and statistics.
In the list of databases in the Browser, there is both the postgres
database, which you are connected to, and the ibmclouddb
database, which is the default database for all Databases for PostgreSQL deployments.
Click ibmclouddb
to connect to it and expand the information about it.
Use pgAdmin to view, administer, and manage your data and databases in your Databases for PostgreSQL instance. For more information, see pgAdmin documentation.
Administrative features that require a superuser are not available through pgAdmin because there is no superuser access available to users of a Databases for PostgreSQL deployment.
Step 4: Set up context-based restrictions
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to Cloud Databases resources can be controlled with context-based restrictions and Identity and Access Management (IAM) policies.
To set up context-based restrictions for your Databases for PostgreSQL instance, follow the steps at Protecting Cloud Databases resources with context-based restrictions.
Step 5: Connect IBM Cloud Monitoring through the console
You can use IBM Cloud Monitoring to get operational visibility into the performance and health of your applications, services, and platforms. IBM Cloud Monitoring provides administrators, DevOps teams, and developers full stack telemetry with advanced features to monitor and troubleshoot, define alerts, and design custom dashboards.
For more information about how to use Monitoring with Databases for PostgreSQL, see Monitoring integration.
Step 5: Connect IBM Cloud Monitoring through the CLI
You can use IBM Cloud Monitoring to get operational visibility into the performance and health of your applications, services, and platforms. IBM Cloud Monitoring provides administrators, DevOps teams, and developers full stack telemetry with advanced features to monitor and troubleshoot, define alerts, and design custom dashboards.
For more information about how to use Monitoring with Databases for PostgreSQL, see Monitoring integration.
You cannot connect IBM Cloud Monitoring by using the CLI. Use the console to complete this task. For more information, see Monitoring integration.
Step 5: Connect IBM Cloud Monitoring through the API
You can use IBM Cloud Monitoring to get operational visibility into the performance and health of your applications, services, and platforms. IBM Cloud Monitoring provides administrators, DevOps teams, and developers full stack telemetry with advanced features to monitor and troubleshoot, define alerts, and design custom dashboards.
For more information about how to use Monitoring with Databases for PostgreSQL, see Monitoring integration.
You cannot connect IBM Cloud Monitoring by using the CLI. Use the console to complete this task. For more information, see Monitoring integration.
Step 5: Connect IBM Cloud Monitoring through Terraform
You can use IBM Cloud Monitoring to get operational visibility into the performance and health of your applications, services, and platforms. IBM Cloud Monitoring provides administrators, DevOps teams, and developers full stack telemetry with advanced features to monitor and troubleshoot, define alerts, and design custom dashboards.
For more information about how to use Monitoring with Databases for PostgreSQL, see Monitoring integration.
You cannot connect IBM Cloud Monitoring by using the CLI. Use the console to complete this task. For more information, see Monitoring integration.
Step 6: Connect IBM Cloud Activity Tracker Event Routing
IBM Cloud Activity Tracker Event Routing allows you to view, manage, and audit service activity to comply with corporate policies and industry regulations. Activity Tracker Event Routing records user-initiated activities that change the state of a service in IBM Cloud. Use Activity Tracker Event Routing to track how users and applications interact with the Databases for PostgreSQL service.
To get up and running with Activity Tracker Event Routing, see Getting started with Activity Tracker Event Routing.
Activity Tracker Event Routing can have only one instance per location. To view events, you must access the web UI of the Activity Tracker Event Routing service in the same location where your service instance is available.
For more information about events specific to Databases for PostgreSQL, see Activity tracking events.
Events are formatted according to the Cloud Auditing Data Federation (CADF) standard. For further details of the information they include, see CADF standard.
Step 6: Connect IBM Cloud® Activity Tracker through the CLI
IBM Cloud Activity Tracker allows you to view, manage, and audit service activity to comply with corporate policies and industry regulations. Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. Use Activity Tracker to track how users and applications interact with the Databases for PostgreSQL service.
To get up and running with Activity Tracker, see Getting Started with Activity Tracker.
Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launch the web UI.
For more information about events specific to Databases for PostgreSQL, see Activity tracking events.
Events are formatted according to the Cloud Auditing Data Federation (CADF) standard. For further details of the information they include, see CADF standard.
You cannot connect Activity Tracker by using the CLI. Use the console to complete this task. For more information, see Activity tracking events.
Step 6: Connect IBM Cloud® Activity Tracker through the API
IBM Cloud Activity Tracker allows you to view, manage, and audit service activity to comply with corporate policies and industry regulations. Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. Use Activity Tracker to track how users and applications interact with the Databases for PostgreSQL service.
To get up and running with Activity Tracker, see Getting Started with Activity Tracker.
Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launch the web UI.
For more information about events specific to Databases for PostgreSQL, see Activity tracking events.
Events are formatted according to the Cloud Auditing Data Federation (CADF) standard. For further details of the information they include, see CADF standard.
You cannot connect Activity Tracker by using the API. Use the console to complete this task. For more information, see Activity tracking events.
Step 6: Connect IBM Cloud® Activity Tracker through Terraform
IBM Cloud Activity Tracker allows you to view, manage, and audit service activity to comply with corporate policies and industry regulations. Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. Use Activity Tracker to track how users and applications interact with the Databases for PostgreSQL service.
To get up and running with Activity Tracker, see Getting Started with Activity Tracker.
Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launch the web UI.
For more information about events specific to Databases for PostgreSQL, see Activity tracking events.
Events are formatted according to the Cloud Auditing Data Federation (CADF) standard. For further details of the information they include, see CADF standard.
You cannot connect Activity Tracker by using the API. Use the console to complete this task. For more information, see Activity tracking events.
Next steps
-
If you are using Databases for PostgreSQL for the first time, see the official Databases for PostgreSQL documentation.
-
Secure your deployment by adding context-based restrictions.
-
Connect your deployment to IBM Cloud Log Analysis and IBM Cloud Monitoring for observability and alerting.
-
Connect to and manage your databases and data with Databases for PostgreSQL's CLI tool
psql
. -
Looking for more tools on managing your databases? Connect to your instance with the following tools:
-
If you plan to use Databases for PostgreSQL for your applications, see:
-
To ensure the stability of your applications and your databases, see: