Use Olympus as OIDC IdP for pgAdmin

This recipe is built into Olympus, pgAdmin SSO via Olympus IAM is a default-on feature. See Security, pgAdmin SSO for the full reference.

What's already wired up

The compose file includes a pgAdmin container with OAuth2 SSO pre-configured:

• pgAdmin auth source = OAuth2.
• Issuer = IAM Hydra.
• Role claim = dba_role (from Kratos identity trait).

What you need to do

1. Set the dba_role trait on your IAM identity

In Athena IAM → Identities → your identity → Edit traits:

"dba_role": "olympus_app_admin"

Valid values are the Postgres role names you've configured: olympus_readonly, olympus_app_admin, etc.

2. Create the matching Postgres role

If the role doesn't exist yet:

CREATE ROLE olympus_app_admin LOGIN PASSWORD '<random>';
GRANT CONNECT ON DATABASE olympus TO olympus_app_admin;
GRANT USAGE ON SCHEMA public TO olympus_app_admin;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO olympus_app_admin;

See Security, pgAdmin DBA accounts for the canonical grants per role tier.

3. Log in

Open https://pgadmin.<your-domain>. Click Login with Olympus. Authenticate via IAM Hera. Land in pgAdmin connected as your dba_role.

Offboarding

When an engineer leaves:

1. Athena IAM → Identities → their identity → Delete (or set state: deactivated).
2. Their OIDC session expires.
3. Postgres role is automatically unmapped (because the role mapping is dynamic at login time).
4. Optionally: keep their identity in deactivated state for audit-log continuity.

See Operate, pgAdmin DBA offboarding for the full runbook.

Related

• Security, pgAdmin SSO
• Security, pgAdmin DBA accounts
• Operate, pgAdmin DBA offboarding
• ADR 0016, pgAdmin DBA role mapping