Interface Role_RoleSpec

The desired API-exposed Postgres role attribute to associate with the role. Optional.

Controls how the Postgres role authenticates when a client opens a database connection. Supported values:

• LAKEBASE_OAUTH_V1: the role authenticates by presenting a Databricks OAuth access token derived from the backing managed identity (the user, service principal, or group named by the role's postgres_role). No static password exists for roles using this method.
• PG_PASSWORD_SCRAM_SHA_256: the role authenticates with a Postgres password verified server-side using the SCRAM-SHA-256 mechanism. Lakebase generates a password for the role.
• NO_LOGIN: the role cannot open a Postgres session at all. Useful for roles that exist only to own objects or to aggregate privileges that are then granted to other, loginable roles.

If auth_method is left unspecified, a meaningful authentication method is derived from the identity_type:

• For the managed identities, OAUTH is used.
• For the regular postgres roles, authentication based on postgres passwords is used.

NOTE: for the identity type GROUP, LAKEBASE_OAUTH_V1 is the default auth method (group can login as well).

The type of role. When specifying a managed-identity, the chosen role_id must be a valid:

• application ID for SERVICE_PRINCIPAL
• user email for USER
• group name for GROUP

An enum value for a standard role that this role is a member of.

The name of the Postgres role.

This expects a valid Postgres identifier as specified in the link below. https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS

Required when creating the Role.

If you wish to create a Postgres Role backed by a managed identity, then postgres_role must be one of the following:

1. user email for IdentityType.USER
2. app ID for IdentityType.SERVICE_PRINCIPAL
3. group name for IdentityType.GROUP