Skip to main content
When you create a cluster in Managed Service for PostgreSQL, you set names for a default database and a default user (also called bootstrap user). After that, connect to the cluster as the bootstrap user and create other users.
Do not routinely work with the cluster as the bootstrap user. Create other users with the necessary privileges and leave the bootstrap user as a fallback in case of emergency.

Bootstrap user privileges

The bootstrap user is not a superuser but has administrative privileges. It has the msp_admin and msp_superuser roles defined in Managed Service for PostgreSQL.
  • msp_admin gives the following privileges:
    • pg_monitor and pg_signal_backend predefined roles.
    • Subscription for logical replication (CREATE | DROP | ALTER SUBSCRIPTION).
    • Ability to enable extensions (CREATE EXTENSION).
    • Extension-specific functions: pg_stat_reset() and pg_stat_statements_reset() from the pg_stat_statements extension.
  • msp_superuser enables you to bypass ownership verification when you grant and revoke privileges.
When you connect as the bootstrap user and create new users, you can grant them the msp_admin role but not the msp_superuser role.

How to manage users

Create a new user

  1. Connect to the cluster via psql as a user with administrative privileges (for example, the bootstrap user).
  2. Create a new user with privileges to connect to a <test_db> database. Execute the following SQL statements: 
    CREATE USER <db_user> PASSWORD '<password>';
GRANT CONNECT ON DATABASE <test_db> TO <db_user>;
    <db_user> can connect to the <test_db> database and work with the data. The following usernames are reserved, do not specify them: admin, repl, monitor, postgres, public and none.
  3. (Optionally) If you need to grant them additional privileges for the database:
    1. Connect to the cluster as the user that owns the <test_db> database. Usually, the database owner is the user who created it. Alternatively, connect as the boostrap user to bypass the database ownership check.
    2. Execute the following SQL statement: 
      GRANT ALL PRIVILEGES ON DATABASE <test_db> TO <db_user>;
See more details on user roles and privileges in the PostgreSQL documentation.

Create a new user with administrative privileges

To create a user with administrative privileges, connect as the bootstrap user and execute the following SQL statements: 
CREATE USER <new_admin> CREATEDB CREATEROLE PASSWORD '<password>';
GRANT msp_admin TO <new_admin>;
<new_admin> can create databases, create users and grant them privileges. The msp_admin role lets them bypass checks when interacting with data. You cannot grant the msp_superuser role. You can grant any predefined roles except for the following:
  • role_pg_read_server_files
  • role_pg_write_server_files
  • role_pg_execute_server_program
  • role_pg_read_all_data
  • role_pg_write_all_data
The following usernames are reserved, do not specify them: admin, repl, monitor, postgres, public and none.

Manage the bootstrap user

Change the password for the boostrap user only via Nebius AI Cloud interfaces (web console, CLI and provider for Terraform). Do not change it by using SQL statements, as the password will eventually be reset to the one created via Nebius AI Cloud interfaces.
To change the password of the bootstrap user:
  1. In the sidebar, go to https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/storage.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=0a2dad6b48aea10e85f6f3e2343aee26 Storage → PostgreSQL.
  2. Click your cluster and go to Settings.
  3. In the Database section, enter the new password.
  4. Click Update cluster.

Delete a user

Do not delete the bootstrap user, as this may cause the service to malfunction.
To delete a user, connect to the cluster as a user with administrative privileges and execute the following SQL statement: 
DROP USER <username>;
Postgres, PostgreSQL and the Slonik Logo are trademarks or registered trademarks of the PostgreSQL Community Association of Canada, and used with their permission.