Azure PostgreSQL Flexible server: Unable to drop roles

Question

Azure PostgreSQL Flexible server: Unable to drop roles

Peter 75

We are having some weird issues when trying to remove roles. I am connected as the admin user that is member of azure_pg_admin. When trying to remove a role with

DROP ROLE role_to_drop

We get the error "Could not drop the role. Only roles with the CREATEROLE attribute and the ADMIN option on role "role_to_drop" may drop this role.permission denied to drop role"

Anyone know how to fix this?

GeethaThatipatri-MSFT 29,587 Reputation points Microsoft Employee Moderator

2024-04-10T15:00:47.79+00:00

Hi,@Peter Koller Welcome to Microsoft Q&A thanks for posting your question.

What version of Postgres you are using?

Regards

Geetha
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer accepted by question author

0 additional answers

Your answer

GeethaThatipatri-MSFT 29,587 Reputation points Microsoft Employee Moderator

2024-04-10T15:00:47.79+00:00

Hi,@Peter Koller Welcome to Microsoft Q&A thanks for posting your question.

What version of Postgres you are using?

Regards

Geetha
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

GeethaThatipatri-MSFT 29,587 Microsoft Employee Moderator

Hi, @Peter Koller If the Admin has created the custom role, then with the admin access you should be able to drop. as we have limitation on Postgres 16, please check the below document.

Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION permission. For example, they can now change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those permissions.

https://www.postgresql.org/docs/16/release-16.html

User's image

Regards

Geetha

Stavros Koureas 16 Reputation points

2024-12-11T16:15:27.71+00:00

I have same issue, if user role "test" is created without any member with admin option then the same user role "test" cannot even be deleted from the user who created the user role "test". Its like noone is in relation with this user role "test" and it's like an orphan.
Pieter Smit 6 Reputation points

2025-02-03T02:57:48.3766667+00:00

I get this even when logged in with an Entra admin account.
How do i add the ADMIN OPTION ?
GregF 10 Reputation points

2025-03-20T19:39:48.13+00:00

Same issue. A user role was created by a custom administrator role. The custom administrator role was dropped and now nobody can manage the user role.
Thuerriedl, Reinhard 25 Reputation points

2025-04-17T14:40:27.18+00:00

Hi folks. We need a real superuser for the rescue here, this is a PG v16 limitation. Take a look at this thread in the pgsql-hackers mailing list: https://www.postgresql.org/message-id/flat/CAE9k0PmwJxFcajwnouQECsRWhtGSe0OeXP-BK%3DG%2Bn1umjuqEBw%40mail.gmail.com
That said, it works on Aurora-PostgreSQL on AWS, though. With the AWS admin user rds_superuser also orphaned users can be dropped again.

Share via

Azure PostgreSQL Flexible server: Unable to drop roles

0 additional answers

Your answer