Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links

Tom Lane schrieb am 17.12.2021 um 17:27:
> No, that won't help.  Like postgres_fdw, dblink will only let you use
> non-password auth methods if you're superuser [1][2].  The problem is
> that making use of any credentials stored in the server's filesystem
> amounts to impersonating the OS user that's running the server.  It'd
> be nice to find a less confining solution, but I'm not sure what one
> would look like.
>
> Maybe "use server's FDW credentials" could be associated with a
> grantable role?  That's still an awfully coarse-grained approach
> though.  I thought for a moment about putting an SSL cert right
> into the connection string; but you'd have to put the SSL private
> key in there too, making it just as much of a security problem as
> putting a password there (but about 100 times more verbose :-().

What about using a .pgpass file?

We use that to hide the password for FDW connections on the SQL level.

Regards
Thomas