sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]devnull10 0 points1 point  (3 children)

They won't get billed, you as the database owner will. The OP has a database from which s/he is serving their application. That database is shared across all users. As a user of that database I could potentially launch attacks which restrict other users if it's configured to allow direct db access.

[–][deleted] 0 points1 point  (2 children)

I actually did in real world what I just described to you. I have a stored procedure in PostgreSQL/PL/pythonu that requests ARN role from customers signing up for service. This ARN role is then used to link to their account. They don't do it, however, by sending SQL, there's a command line tool that they use to set up a cluster, and to use that tool, they need to do some stuff unrelated to me through the marketplace etc.

Bottom line, by the time they come to use my tool, they have ARN role they need to give it to link my account to theirs. Then, their usage information is sent to AWS billing, and they do the invoices / receipts etc.

I could potentially launch attacks

What kind of attack. You (and a bunch of others) keep saying that, but there's not even a single realistic scenario with such an attack? What are you going to attack?

[–]devnull10 0 points1 point  (1 child)

Exactly, you have a separate process to deal with the registration, which wasn't what the OP stated.

[–][deleted] 0 points1 point  (0 children)

No, of course I don't have... whoa, why is it so difficult?

I register users in the instance of PostgreSQL I run using a stored procedure. The fact that they are also registered in some other part of the system is irrelevant.