Enterprise Server: Object Storage Setup (Amazon S3)

1. Pre-requisites

pganalyze Enterprise Server currently requires the following when storing statistics snapshots and logs in Amazon S3:

• An Amazon S3 bucket to be used for temporary statistics data
• An Amazon S3 bucket to be used for log data (this is where encrypted log data will be stored)
• An Amazon KMS key to be used for log text encryption (you can find KMS under "Encryption Keys" in the IAM console)
• An Amazon IAM user that can access the S3 bucket and KMS key (we need the keys in the next steps)

The setup for these should be straightforward - we recommend choosing a region thats close to your database servers, but latency shouldn't be too much of an issue in general.

If you are not using Amazon Web Services, the local storage setup might be a better fit.

2. Setup IAM user

The pganalyze Docker container needs to have authenticated access to the S3 bucket and KMS key. You can create a regular user, save the access keys, and then assign the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::mydb-logs"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::mydb-logs/*"
            ]
        },
        {
            "Sid": "Stmt1440353940000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mydb-snapshots/*",
                "arn:aws:s3:::mydb-snapshots"
            ]
        }
    ]
}

You will also need to assign this IAM user as a "Key User" to the KMS key.

3. Configuration on pganalyze Docker container

You will need to add the following configuration to the Docker container. If running pganalyze Enterprise Server in a VM, you need to add this to the /etc/pganalyze.env file.

AWS_REGION=us-east-1
AWS_S3_SNAPSHOTS_BUCKET=mydb-snapshots
AWS_S3_LOGS_BUCKET=mydb-logs
AWS_KMS_LOGS_CMK=...

By default pganalyze will attempt IAM authentication using the AWS metadata service / instance roles. If you want to use static keys you can set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables, see the Enterprise Server container settings.

The AWS_KMS_LOGS_CMK is the "ARN" thats listed on the encryption key.

After a pganalyze container restart, you can now use Log Insights and Automated EXPLAIN, as well as install the collector separately (if desired).