post BTP deployment authorizations

[austinkloske22]

I found that we lose DB superuser access after BTP deployment which is required for requirements such as running db producedures to clone and drop schemas. Question has been opened to SAP and I'm unsure if a fix is possible and if so what the timeline might be: https://answers.sap.com/questions/13386233/postgresql-on-sap-btp-authorizations.html

Is it feasible to allow cds-pg & cds-dbm to connect and manage a AWS rds postgres instance directly without going through the SAP's postgres hypescaler service? I would be happy to work on the development and testing if the original contributers see this as feasible and have any advice on that connection might work.

[austinkloske22]

Could this be handled by replacing the postgresql-db service that is bound to the node-srv module with a user defined service containing custom rds credentials? Perhaps no/minimum code changes are needed if the expectation is manual rds set-up. We would probably need ot make sure that cfenv / xenv modules pick up the user defined service the same way as if it were a postgresql-db service? I'll research what SAP allows for in terms of user defined services and their corresponding tags / labels.

postgresql-db service binding structure:

{
	"username": "****",
	"password": "****",
	"hostname": "postgres-****-****-****-****-****.***.eu-central-1.rds.amazonaws.com",
	"dbname": "*****",
	"port": "****",
	"uri": "postgres://******:********@postgres-*****-****-****-****-*****.********.eu-central-1.rds.amazonaws.com:****/",
	"sslcert": "",
	"sslrootcert": ""
}

[sebastianesch]

Hi @austinkloske22,

we have successfully tested a deployment to Cloud Foundry with a User Provided Service. It's important to use the correct tags for your service. If you include db or plain your CAP app should pick up your credentials.

Kind regards,
Sebastian