Hardening Azure Database for PostgreSQL - Microsoft Tech Community

Microsoft provides managed relational database services for a variety of popular database engines including Azure SQL Database, Azure Database for MySQL, and Azure Database for PostgreSQL. Azure Database for PostgreSQL, for instance, is a managed version of the PostgreSQL open-source relational database management system. All these database products have built-in roles and accounts that have wide-ranging permissions and security implications. Two such elevated accounts in Azure Database for PostgreSQL are the superuser account (built-in to PostgreSQL) and azure_pg_admin account. Under some conditions, it is possible for the azure_pg_admin account to assume elevated privileges. In this blog we will discuss why the azure_pg_admin security account is needed and best practices to avoid the possibility of abuse.

Superuser is, as you can imagine, the most elevated and trusted account in PostgreSQL and can perform every operation. Today there are a number of PostgreSQL tasks, such as installing extensions, modifying PG catalogs, etc. that require the superuser privilege. This is an important functionality needed by PostgreSQL features, however, it should be limited to highly privileged operations only.