208

How do I write an SQL script to create a ROLE in PostgreSQL 9.1, but without raising an error if it already exists?

The current script simply has:

CREATE ROLE my_user LOGIN PASSWORD 'my_password';

This fails if the user already exists. I'd like something like:

IF NOT EXISTS (SELECT * FROM pg_user WHERE username = 'my_user')
BEGIN
    CREATE ROLE my_user LOGIN PASSWORD 'my_password';
END;

... but that doesn't work - IF doesn't seem to be supported in plain SQL.

I have a batch file that creates a PostgreSQL 9.1 database, role and a few other things. It calls psql.exe, passing in the name of an SQL script to run. So far all these scripts are plain SQL and I'd like to avoid PL/pgSQL and such, if possible.

Erwin Brandstetter
  • 605,456
  • 145
  • 1,078
  • 1,228
EMP
  • 59,148
  • 53
  • 164
  • 220

12 Answers12

223

Simple script (question asked)

Building on @a_horse_with_no_name's answer and improved with @Gregory's comment:

DO
$do$
BEGIN
   IF EXISTS (
      SELECT FROM pg_catalog.pg_roles
      WHERE  rolname = 'my_user') THEN

      RAISE NOTICE 'Role "my_user" already exists. Skipping.';
   ELSE
      CREATE ROLE my_user LOGIN PASSWORD 'my_password';
   END IF;
END
$do$;

Unlike, for instance, with CREATE TABLE there is no IF NOT EXISTS clause for CREATE ROLE (up to at least Postgres 14). And you cannot execute dynamic DDL statements in plain SQL.

Your request to "avoid PL/pgSQL" is impossible except by using another PL. The DO statement uses PL/pgSQL as default procedural language:

DO [ LANGUAGE lang_name ] code
...
lang_name
The name of the procedural language the code is written in. If omitted, the default is plpgsql.

No race condition

The above simple solution allows for a race condition in the tiny time frame between looking up the role and creating it. If a concurrent transaction creates the role in between we get an exception after all. In most workloads, that will never happen as creating roles is a rare operation carried out by an admin. But there are highly contentious workloads like @blubb mentioned.
@Pali added a solution trapping the exception. But a code block with an EXCEPTION clause is expensive. The manual:

A block containing an EXCEPTION clause is significantly more expensive to enter and exit than a block without one. Therefore, don't use EXCEPTION without need.

Actually raising an exception (and then trapping it) is comparatively expensive on top of it. All of this only matters for workloads that execute it a lot - which happens to be the primary target audience. To optimize:

DO
$do$
BEGIN
   IF EXISTS (
      SELECT FROM pg_catalog.pg_roles
      WHERE  rolname = 'my_user') THEN

      RAISE NOTICE 'Role "my_user" already exists. Skipping.';
   ELSE
      BEGIN   -- nested block
         CREATE ROLE my_user LOGIN PASSWORD 'my_password';
      EXCEPTION
         WHEN duplicate_object THEN
            RAISE NOTICE 'Role "my_user" was just created by a concurrent transaction. Skipping.';
      END;
   END IF;
END
$do$;

Much cheaper:

  • If the role already exists, we never enter the expensive code block.

  • If we enter the expensive code block, the role only ever exists if the unlikely race condition hits. So we hardly ever actually raise an exception (and catch it).

Erwin Brandstetter
  • 605,456
  • 145
  • 1,078
  • 1,228
  • Yes, this is slightly simpler, so I'm accepting this answer. Thanks! – EMP Nov 14 '11 at 00:59
  • 1
    @Alberto: [pg_user](http://www.postgresql.org/docs/current/interactive/view-pg-user.html) and [pg_roles](http://www.postgresql.org/docs/current/interactive/view-pg-roles.html) are both correct. Still the case in the current version 9.3 and it's not going to change any time soon. – Erwin Brandstetter Mar 27 '14 at 16:41
  • N.B. missing semicolon at the end of the code snippet! (I tried to edit it and SO complained my edit was too short). – Josh Kupershmidt Nov 11 '15 at 15:48
  • @JoshKupershmidt: A semicolon is not required after a single command by Postgres. Only if you append more commands. Some clients (like psql in interactive mode) require a semicolon in any case, though. I added it. – Erwin Brandstetter Nov 14 '15 at 01:16
  • 1
    @ErwinBrandstetter I keep getting syntax errors when trying to run this inside of a psql heredoc. I've been crawling posts like this for a while and have tried many variations. The specific syntax error is: `syntax error at or near "$"` Has anyone seen this before? Running v9.5.2. Thanks! – Ken May 12 '16 at 05:59
  • 4
    @Ken: If `$` has a special meaning in your client you need to escape it according to the syntax rules of your client. Try escaping `$` with `\$` in the Linux shell. Or start a new question - comments are not the place. You can always link to this one for context. – Erwin Brandstetter May 12 '16 at 13:39
  • 1
    I'm using 9.6, and if a user were created with NOLOGIN, they do not show up in the pg_user table, but do show up in the pg_roles table. Would pg_roles be a better solution here? – Jess Sep 27 '17 at 13:59
  • 2
    @ErwinBrandstetter This doesn't work for roles that have NOLOGIN. They show up in pg_roles but not in pg_user. – Gregory Arenius Mar 05 '18 at 00:21
  • @GregoryArenius: Good catch! I updated the answer accordingly. – Erwin Brandstetter Mar 05 '18 at 09:28
  • 2
    This solution suffers from a race-condition. A safer variant is [documented in this answer](https://stackoverflow.com/a/49858797/484293). – blubb Apr 16 '18 at 13:43
  • @blubb: Right - If there can indeed be more than one concurrent transaction writing to `pg_roles`, which seems rather unlikely. – Erwin Brandstetter May 27 '18 at 22:55
  • 1
    @ErwinBrandstetter: it becomes more likely than not if you run 10+ DBs for integration tests on the same cluster and perform CREATE ROLE as part of the test setup :-( – blubb May 28 '18 at 05:00
69

Some answers suggested to use pattern: check if role does not exist and if not then issue CREATE ROLE command. This has one disadvantage: race condition. If somebody else creates a new role between check and issuing CREATE ROLE command then CREATE ROLE obviously fails with fatal error.

To solve above problem, more other answers already mentioned usage of PL/pgSQL, issuing CREATE ROLE unconditionally and then catching exceptions from that call. There is just one problem with these solutions. They silently drop any errors, including those which are not generated by fact that role already exists. CREATE ROLE can throw also other errors and simulation IF NOT EXISTS should silence only error when role already exists.

CREATE ROLE throw duplicate_object error when role already exists. And exception handler should catch only this one error. As other answers mentioned it is a good idea to convert fatal error to simple notice. Other PostgreSQL IF NOT EXISTS commands adds , skipping into their message, so for consistency I'm adding it here too.

Here is full SQL code for simulation of CREATE ROLE IF NOT EXISTS with correct exception and sqlstate propagation:

DO $$
BEGIN
CREATE ROLE test;
EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
END
$$;

Test output (called two times via DO and then directly):

$ sudo -u postgres psql
psql (9.6.12)
Type "help" for help.

postgres=# \set ON_ERROR_STOP on
postgres=# \set VERBOSITY verbose
postgres=# 
postgres=# DO $$
postgres$# BEGIN
postgres$# CREATE ROLE test;
postgres$# EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
postgres$# END
postgres$# $$;
DO
postgres=# 
postgres=# DO $$
postgres$# BEGIN
postgres$# CREATE ROLE test;
postgres$# EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
postgres$# END
postgres$# $$;
NOTICE:  42710: role "test" already exists, skipping
LOCATION:  exec_stmt_raise, pl_exec.c:3165
DO
postgres=# 
postgres=# CREATE ROLE test;
ERROR:  42710: role "test" already exists
LOCATION:  CreateRole, user.c:337
Pali
  • 1,389
  • 12
  • 7
  • 3
    Thank you. No race conditions, tight exception catch, wrapping Postgres's own message instead of rewriting your own. – Stefano Taschini Oct 07 '19 at 09:09
  • 2
    Indeed! This is currently the only correct answer here, which does not suffer from race conditions, and uses the necessary selective error handling. It is a realy pity that this answer appeared after the (not fully correct) top answer collected more that 100 points. – vog Dec 14 '19 at 23:54
  • 1
    You are welcome! My solution also propagates SQLSTATE so if you are calling statement from other PL/SQL script or other language with SQL connector you would receive correct SQLSTATE. – Pali May 05 '20 at 23:05
  • 1
    This is great. Let's hope it is voted to the top soon! I edited my own answer to refer to yours to accelerate the process. – blubb Oct 07 '21 at 18:23
61

Or if the role is not the owner of any db objects one can use:

DROP ROLE IF EXISTS my_user;
CREATE ROLE my_user LOGIN PASSWORD 'my_password';

But only if dropping this user will not make any harm.

Borys
  • 2,676
  • 2
  • 24
  • 37
  • Also, make sure you did not assign any privileges to `my_user`. Otherwise, it will fail due to `Error: cannot be dropped because some objects depend on it`. – oneturkmen Jun 24 '22 at 15:27
21

Bash alternative (for Bash scripting):

psql -h localhost -U postgres -tc \
"SELECT 1 FROM pg_user WHERE usename = 'my_user'" \
| grep -q 1 \
|| psql -h localhost -U postgres \
-c "CREATE ROLE my_user LOGIN PASSWORD 'my_password';"

(isn't the answer for the question! it is only for those who may be useful)

Rob Bednark
  • 25,981
  • 23
  • 80
  • 125
Eduardo Cuomo
  • 17,828
  • 6
  • 117
  • 94
  • 3
    It should read `FROM pg_roles WHERE rolname` instead of `FROM pg_user WHERE usename` – Barth Jul 08 '19 at 12:59
  • Note that this suffers not only from a race condition, it adds a complete roundtrip to the database. – Judson Oct 23 '20 at 21:15
13

Here is a generic solution using plpgsql:

CREATE OR REPLACE FUNCTION create_role_if_not_exists(rolename NAME) RETURNS TEXT AS
$$
BEGIN
    IF NOT EXISTS (SELECT * FROM pg_roles WHERE rolname = rolename) THEN
        EXECUTE format('CREATE ROLE %I', rolename);
        RETURN 'CREATE ROLE';
    ELSE
        RETURN format('ROLE ''%I'' ALREADY EXISTS', rolename);
    END IF;
END;
$$
LANGUAGE plpgsql;

Usage:

posgres=# SELECT create_role_if_not_exists('ri');
 create_role_if_not_exists 
---------------------------
 CREATE ROLE
(1 row)
posgres=# SELECT create_role_if_not_exists('ri');
 create_role_if_not_exists 
---------------------------
 ROLE 'ri' ALREADY EXISTS
(1 row)
Wolkenarchitekt
  • 20,170
  • 29
  • 111
  • 174
10

The same solution as for Simulate CREATE DATABASE IF NOT EXISTS for PostgreSQL? should work - send a CREATE USER … to \gexec.

Workaround from within psql

SELECT 'CREATE USER my_user'
WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'my_user')\gexec

Workaround from the shell

echo "SELECT 'CREATE USER my_user' WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'my_user')\gexec" | psql

See accepted answer there for more details.

Alexander Skwar
  • 875
  • 1
  • 9
  • 20
  • 1
    Your solution has still a race condition which I described in my answer https://stackoverflow.com/a/55954480/7878845 If you run your shell script in parallel more times you get ERROR: role "my_user" already exists – Pali May 13 '19 at 17:33
9

Building off of the other answers here, I wanted the ability to execute psql once against a .sql file to have it perform a set of initialization operations. I also wanted the ability to inject the password at the time of execution to support CI/CD scenarios.

-- init.sql

CREATE OR REPLACE FUNCTION pg_temp.create_myuser(theUsername text, thePassword text)
RETURNS void AS
$BODY$
DECLARE
  duplicate_object_message text;
BEGIN
  BEGIN
    EXECUTE format(
      'CREATE USER %I WITH PASSWORD %L',
      theUsername,
      thePassword
    );
  EXCEPTION WHEN duplicate_object THEN
    GET STACKED DIAGNOSTICS duplicate_object_message = MESSAGE_TEXT;
    RAISE NOTICE '%, skipping', duplicate_object_message;
  END;
END;
$BODY$
LANGUAGE 'plpgsql';

SELECT pg_temp.create_myuser(:'vUsername', :'vPassword');

Invoking with psql:

NEW_USERNAME="my_new_user"
NEW_PASSWORD="password with 'special' characters"

psql --no-psqlrc --single-transaction --pset=pager=off \
  --tuples-only \
  --set=ON_ERROR_STOP=1 \
  --set=vUsername="$NEW_USERNAME" \
  --set=vPassword="$NEW_PASSWORD" \
  -f init.sql

This will allow init.sql to be run either locally or by the CI/CD pipeline.

Notes:

  • I did not find a way to reference a file variable (:vPassword) directly in a DO anonymous function, hence the full FUNCTION to pass the arg. (see @Clodoaldo Neto's answer)
  • @Erwin Brandstetter's answer explains why we must use an EXECUTE and cannot use CREATE USER directly.
  • @Pali's answer explains the need for the EXCEPTION to prevent race conditions (which is why the \gexec approach is not recommended).
  • The function must be invoked in a SELECT statement. Use the -t/--tuples-only attribute in the psql command to clean up log output, as pointed out in @villy393's answer.
  • The function is created in a temporary schema, so it will be deleted automatically.
  • Quoting is handled properly, so no special character in password can cause errors or worse, security vulnerability.
Tometzky
  • 22,573
  • 5
  • 59
  • 73
AHaleIII
  • 173
  • 1
  • 7
8

My team was hitting a situation with multiple databases on one server, depending on which database you connected to, the ROLE in question was not returned by SELECT * FROM pg_catalog.pg_user, as proposed by @erwin-brandstetter and @a_horse_with_no_name. The conditional block executed, and we hit role "my_user" already exists.

Unfortunately we aren't sure of exact conditions, but this solution works around the problem:

DO  
$body$
BEGIN
    CREATE ROLE my_user LOGIN PASSWORD 'my_password';
EXCEPTION WHEN others THEN
    RAISE NOTICE 'my_user role exists, not re-creating';
END
$body$

It could probably be made more specific to rule out other exceptions.

Alexis Wilke
  • 19,179
  • 10
  • 84
  • 156
Chris Betti
  • 2,721
  • 2
  • 27
  • 36
  • 4
    The pg_user table seems to only include roles that have LOGIN. If a role has NOLOGIN it doesn't show up in pg_user, at least in PostgreSQL 10. – Gregory Arenius Mar 05 '18 at 00:19
  • I wanted to add that "others" is a "catch all" (equivalent to `catch(...)` in C++) in this case. [Documented here](https://www.postgresql.org/docs/12/plpgsql-control-structures.html#PLPGSQL-ERROR-TRAPPING) – Alexis Wilke Jan 20 '23 at 21:18
  • CREATE SCHEMA IF NOT EXISTS my_schema; – Anthony Vinay Apr 18 '23 at 14:09
7

As you are on 9.x, you can wrap that into a DO statement:

do 
$body$
declare 
  num_users integer;
begin
   SELECT count(*) 
     into num_users
   FROM pg_user
   WHERE usename = 'my_user';

   IF num_users = 0 THEN
      CREATE ROLE my_user LOGIN PASSWORD 'my_password';
   END IF;
end
$body$
;
6

If you have access to a shell, you can do this.

psql -tc "SELECT 1 FROM pg_user WHERE usename = 'some_use'" | grep -q 1 || psql -c "CREATE USER some_user"

For those of you who would like an explanation:

-c = run command in database session, command is given in string
-t = skip header and footer
-q = silent mode for grep 
|| = logical OR, if grep fails to find match run the subsequent command
villy393
  • 2,985
  • 20
  • 28
3

You can do it in your batch file by parsing the output of:

SELECT * FROM pg_user WHERE usename = 'my_user'

and then running psql.exe once again if the role does not exist.

Sheva
  • 99
  • 1
  • 9
2

I needed this in a Makefile to not fail the job when the user exists:

initdb:
    psql postgres -c "CREATE USER foo CREATEDB PASSWORD 'bar'" || true
    ...
minusf
  • 1,204
  • 10
  • 10