CREATE ROLE Parameters (Part 3): Password and Role Membership

Note that only normal connections are counted towards this limit. Neither prepared transactions nor background worker connections are counted towards this limit. </para> </listitem> </varlistentry> <varlistentry> <term>[ <literal>ENCRYPTED</literal> ] <literal>PASSWORD</literal> '<replaceable class="parameter">password</replaceable>'</term> <term><literal>PASSWORD NULL</literal></term> <listitem> <para> Sets the role's password. (A password is only of use for roles having the <literal>LOGIN</literal> attribute, but you can nonetheless define one for roles without it.) If you do not plan to use password authentication you can omit this option. If no password is specified, the password will be set to null and password authentication will always fail for that user. A null password can optionally be written explicitly as <literal>PASSWORD NULL</literal>. </para> <note> <para> Specifying an empty string will also set the password to null, but that was not the case before <productname>PostgreSQL</productname> version 10. In earlier versions, an empty string could be used, or not, depending on the authentication method and the exact version, and libpq would refuse to use it in any case. To avoid the ambiguity, specifying an empty string should be avoided. </para> </note> <para> The password is always stored encrypted in the system catalogs. The <literal>ENCRYPTED</literal> keyword has no effect, but is accepted for backwards compatibility. The method of encryption is determined by the configuration parameter <xref linkend="guc-password-encryption"/>. If the presented password string is already in MD5-encrypted or SCRAM-encrypted format, then it is stored as-is regardless of <varname>password_encryption</varname> (since the system cannot decrypt the specified encrypted password string, to encrypt it in a different format). This allows reloading of encrypted passwords during dump/restore. </para> <warning> <para> Support for MD5-encrypted passwords is deprecated and will be removed in a future release of <productname>PostgreSQL</productname>. Refer to <xref linkend="auth-password"/> for details about migrating to another password type. </para> </warning> </listitem> </varlistentry> <varlistentry> <term><literal>VALID UNTIL</literal> '<replaceable class="parameter">timestamp</replaceable>'</term> <listitem> <para> The <literal>VALID UNTIL</literal> clause sets a date and time after which the role's password is no longer valid. If this clause is omitted the password will be valid for all time. </para> </listitem> </varlistentry> <varlistentry> <term><literal>IN ROLE</literal> <replaceable class="parameter">role_name</replaceable></term> <listitem> <para> The <literal>IN ROLE</literal> clause causes the new role to be automatically added as a member of the specified existing roles. The new membership will have the <literal>SET</literal> option enabled and the <literal>ADMIN</literal> option disabled. The <literal>INHERIT</literal> option will be enabled unless the <literal>NOINHERIT</literal> option is specified. </para> </listitem> </varlistentry> <varlistentry> <term><literal>ROLE</literal> <replaceable class="parameter">role_name</replaceable></term> <listitem> <para> The <literal>ROLE</literal> clause causes one or more specified existing roles to be automatically added as members, with the <literal>SET</literal>

This section describes the PASSWORD, VALID UNTIL, IN ROLE and ROLE parameters for the CREATE ROLE command. It covers setting a role's password, the validity duration of the password, and how to automatically add a new role as a member of existing roles.