[docs] PostgreSQL auto-user provisioning guide minor edits

gravitational · Nov 13, 2024 · 4e2eb72 · 4e2eb72
1 parent 6b573d6
commit 4e2eb72
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 20 deletions.
diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx
@@ -41,6 +41,12 @@ Note that the RDS database must have IAM authentication enabled.
 
 Refer to the [AWS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html) to make sure you are using the `rds_iam` role correctly.
 for more information.
+
+If the admin user needs to grant the `rds_superuser` role to auto-provisioned
+users, the admin user must also be a `rds_superuser`:
+```sql
+GRANT rds_superuser TO "teleport-admin" WITH ADMIN OPTION;
+```
 </TabItem>
 <TabItem label="Self-hosted PostgreSQL">
 The self-hosted PostgreSQL admin user must have X.509 authentication configured.
@@ -63,7 +69,13 @@ to ensure that your configuration is correct.
 </Tabs>
 
 <Admonition type="note" title="Database Access Controls for `teleport-admin`">
-When [Database Access Controls](../rbac.mdx) feature is in use, the `teleport-admin` should have permissions to relevant database objects. For example:
+When [Database Access Controls](../rbac.mdx) feature is in use, the
+`teleport-admin` should have permissions to relevant database objects. You can
+grant `teleport-admin` the `SUPERUSER` option for self-hosted databases, or the
+`rds_superuser` role for RDS databases.
+
+For improved security through the principle of least privilege, you can also
+assign permissions directly to specific database objects. For example:
 
 ```sql
 GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin";
@@ -75,10 +87,6 @@ the database, which will be created automatically if it doesn't exist.
 
 (!docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx protocol="postgres" uri="localhost:5432" default="the same database that the user is accessing" !)
 
-<Admonition type="warning" title="Procedure Privileges in PostgreSQL 15+">
-(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!)
-</Admonition>
-
 ## Step 2/3. Configure a Teleport role
 
 Database permissions are associated with a Teleport role, which can either allocate predefined database roles (configured in each database) or define specific database object permissions directly. Teleport grants these permissions for the duration of the connection.
@@ -169,10 +177,6 @@ Users created within the database will:
 
 ## Troubleshooting
 
-### Permission denied for schema public error
-
-(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!)
-
 ### User does not have CONNECT privilege error
 
 You may encounter the following error when the admin user or the roles assigned

diff --git a/...ges/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx b/...ges/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx