From 4600399755d07275372cfe6b822886a1c91ac5c9 Mon Sep 17 00:00:00 2001 From: Keegan Carruthers-Smith Date: Thu, 13 Nov 2025 11:11:17 +0200 Subject: [PATCH] docs: update AWS RDS IAM Auth instructions The IAM Auth configuration only needs to be applied to the frontend service(s), not all services requiring database connections. This update: - Clarifies that config is only needed for sourcegraph-frontend service - Adds missing CODEINTEL_PGHOST variable for completeness - Documents AWS_STS_REGIONAL_ENDPOINTS as optional configuration for customers who want to use regional STS endpoints for improved latency and resiliency (common in production AWS deployments) Amp-Thread-ID: https://ampcode.com/threads/T-27ca9536-a526-45bd-9992-f9011dbf5cff Co-authored-by: Amp --- docs/admin/external_services/postgres.mdx | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/admin/external_services/postgres.mdx b/docs/admin/external_services/postgres.mdx index a48e298d8..049aa7a78 100644 --- a/docs/admin/external_services/postgres.mdx +++ b/docs/admin/external_services/postgres.mdx @@ -122,7 +122,7 @@ In order to enable IAM Auth, you first need to: - For EKS (k8s deployment), use [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) - For EC2 (docker-compose deployment), use [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) -For [every services that require postgres database connection](https://github.com/sourcegraph/sourcegraph-public-snapshot/blob/main/lib/servicecatalog/service-catalog.yaml), ensure below environment variables are configured: +Configure the following environment variables for the **`sourcegraph-frontend`** service (or all `sourcegraph-frontend-*` services in Docker Compose deployments): - `PG_CONNECTION_UPDATER=EC2_ROLE_CREDENTIALS` - `PGSSLMODE=require` @@ -131,15 +131,20 @@ For [every services that require postgres database connection](https://github.co - `PGUSER=<>` - this should be the database accounts created above - `PGDATABASE=<>` - `CODEINTEL_PGSSLMODE=require` +- `CODEINTEL_PGHOST=<>` - `CODEINTEL_PGPORT=<>` -- `CODEINTEL_PGUSER=<>` this should be the database accounts created above +- `CODEINTEL_PGUSER=<>` - this should be the database accounts created above - `CODEINTEL_PGDATABASE=<>` - `CODEINSIGHTS_PGSSLMODE=require` - `CODEINSIGHTS_PGHOST=<>` - `CODEINSIGHTS_PGPORT=<>` -- `CODEINSIGHTS_PGUSER=<>` this should be the database accounts created above +- `CODEINSIGHTS_PGUSER=<>` - this should be the database accounts created above - `CODEINSIGHTS_PGDATABASE=<>` +**Optional:** If your workloads are in a specific AWS Region and you want to use regional STS endpoints for improved latency and resiliency, also set: + +- `AWS_STS_REGIONAL_ENDPOINTS=regional` - This configures the AWS SDK to use regional STS endpoints (e.g., `sts.us-west-2.amazonaws.com`) instead of the global endpoint (`sts.amazonaws.com`). This is recommended for better performance and resilience. See [AWS documentation](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html) for more details. + ## Usage with PgBouncer [PgBouncer] is a lightweight connections pooler for PostgreSQL. It allows more clients to connect with the PostgreSQL database without running into connection limits.