docs: update AWS RDS IAM Auth instructions (#1421)

keegancsmith · ampcode-com · DaedalusG · web-flow · commit f8267851df37 · 2025-11-24T16:12:25.000-08:00
The IAM Auth configuration only needs to be applied to the frontend service(s), not all services requiring database connections. This update: - Clarifies that config is only needed for sourcegraph-frontend service - Adds missing CODEINTEL_PGHOST variable for completeness - Documents AWS_STS_REGIONAL_ENDPOINTS as optional configuration for customers who want to use regional STS endpoints for improved latency and resiliency (common in production AWS deployments) NOTE: This can only be merged once our backport lands for these improvements sourcegraph/sourcegraph#7825 Amp-Thread-ID: https://ampcode.com/threads/T-27ca9536-a526-45bd-9992-f9011dbf5cff Co-authored-by: Amp <amp@ampcode.com> Co-authored-by: Warren Gifford <warrenbruceg@gmail.com>
diff --git a/docs/admin/external_services/postgres.mdx b/docs/admin/external_services/postgres.mdx
@@ -144,23 +144,28 @@ In order to enable IAM Auth, you first need to:
     -   For EKS (k8s deployment), use [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
     -   For EC2 (docker-compose deployment), use [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
 
-For [every services that require postgres database connection](https://github.com/sourcegraph/sourcegraph-public-snapshot/blob/main/lib/servicecatalog/service-catalog.yaml), ensure below environment variables are configured:
-
--   `PG_CONNECTION_UPDATER=EC2_ROLE_CREDENTIALS`
--   `PGSSLMODE=require`
--   `PGHOST=<>`
--   `PGPORT=<>`
--   `PGUSER=<>` - this should be the database accounts created above
--   `PGDATABASE=<>`
--   `CODEINTEL_PGSSLMODE=require`
--   `CODEINTEL_PGPORT=<>`
--   `CODEINTEL_PGUSER=<>` this should be the database accounts created above
--   `CODEINTEL_PGDATABASE=<>`
--   `CODEINSIGHTS_PGSSLMODE=require`
--   `CODEINSIGHTS_PGHOST=<>`
--   `CODEINSIGHTS_PGPORT=<>`
--   `CODEINSIGHTS_PGUSER=<>` this should be the database accounts created above
--   `CODEINSIGHTS_PGDATABASE=<>`
+Configure the following environment variables for the **`sourcegraph-frontend`** service (or all `sourcegraph-frontend-*` services in Docker Compose deployments):
+
+- `PG_CONNECTION_UPDATER=EC2_ROLE_CREDENTIALS`
+- `PGSSLMODE=require`
+- `PGHOST=<>`
+- `PGPORT=<>`
+- `PGUSER=<>` - this should be the database accounts created above
+- `PGDATABASE=<>`
+- `CODEINTEL_PGSSLMODE=require`
+- `CODEINTEL_PGHOST=<>`
+- `CODEINTEL_PGPORT=<>`
+- `CODEINTEL_PGUSER=<>` - this should be the database accounts created above
+- `CODEINTEL_PGDATABASE=<>`
+- `CODEINSIGHTS_PGSSLMODE=require`
+- `CODEINSIGHTS_PGHOST=<>`
+- `CODEINSIGHTS_PGPORT=<>`
+- `CODEINSIGHTS_PGUSER=<>` - this should be the database accounts created above
+- `CODEINSIGHTS_PGDATABASE=<>`
+
+**Optional:** If your workloads are in a specific AWS Region and you want to use regional STS endpoints for improved latency and resiliency, also set:
+
+- `AWS_STS_REGIONAL_ENDPOINTS=regional` - This configures the AWS SDK to use regional STS endpoints (e.g., `sts.us-west-2.amazonaws.com`) instead of the global endpoint (`sts.amazonaws.com`). This is recommended for better performance and resilience. See [AWS documentation](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html) for more details.
 
 ## Usage with PgBouncer
 
