Pivotal Knowledge Base


Error Binding to POSTGRES Service, "Service broker error: pq: invalid privilege type SELECT for database"


Amazon Web Services (AWS) Broker Version 1.1.0


After upgrading to version 1.1.0, some users may get this error when trying to bind an app to a postgres database created by the AWS service broker

Server error, status code: 502, error code: 10001, message: Service broker error: pq: invalid privilege type SELECT for database


Configurable database permissions where added in AWS broker version 1.1.0 via the AWS service broker tile. Whatever permissions are set in this field will get applied to the user for newly created databases


For example, let's assume the broker creates a new database called "newdb" and a new user called "user1." Given the permissions, in the above screenshot, the AWS broker would apply for those permissions as followed and get the error observed during the bind operation. This is because postgres does not support setting the SELECT permission on the database for a given user without more specific options.

ERROR:  invalid privilege type SELECT for database


AWS broker version 1.3.0 now sets the default permissions to "CREATE, TEMP, CONNECT." These are the recommended permissions that should be set.  Please update your AWS service broker tile and apply the default settings from 1.3.0 or simply remove the "SELECT" privilege from your existing configuration located in AWS Service Broker Tile -> Settings -> RDS Config -> PostgreSQL Plans -> User Privileges.


Additional Information

A service broker will not delete a production Database. Only when a Developer with permissions for that Org and Space performs a "cf delete-service" will a database instance be deleted. If a "cf bind-service" has been done to that database instance, even a deletion attempt will fail until the app has been unbound. And, if you try to delete the tile with existing service instances, you will get:

"Server error, status code: 400, error code: 270010, message: Can not remove brokers that have associated service instances: aws-services-broker"


Powered by Zendesk