What is the default CONNECTION LIMIT for a PostgreSQL role?

The default is -1, which means unlimited. The fatal error only occurs when a role was explicitly created or altered with a positive integer limit — for example, `CREATE ROLE appuser CONNECTION LIMIT 10`. You can verify the current limit by running `SELECT rolname, rolconnlimit FROM pg_roles WHERE rolname = 'appuser';`. A value of -1 means no cap; a positive integer is the hard ceiling.

Why are idle connections still consuming the appuser connection limit?

PostgreSQL counts a connection against the role limit from the moment the TCP connection is authenticated until it is closed — regardless of whether it is actively executing a query. Connections in 'idle' or 'idle in transaction' state are fully counted. This is the most common cause of hitting a low connection limit: application-side connection pools that hold open connections between requests, or crashed app instances that never sent a clean disconnect. Use `SELECT pid, state, state_change FROM pg_stat_activity WHERE usename = 'appuser'` to identify and terminate stale idle connections.

Should I just set CONNECTION LIMIT to -1 (unlimited) to fix this permanently?

No. Setting CONNECTION LIMIT to -1 on an application role removes a critical safeguard. If your application has a connection leak, it will consume connections until it hits the global `max_connections` limit, starving out all other roles including superusers — which can make the database unrecoverable without a restart. The correct fix is to deploy a connection pooler like PgBouncer in transaction mode, size your application pool conservatively (typically 10–25 connections per app instance), and set the role's CONNECTION LIMIT to match the pooler's server-side pool size plus a small administrative headroom.

How to Fix PostgreSQL 'too many connections for role' Fatal Error (appuser Connection Limit)

Threat/Impact Level: HIGH | Downtime Risk: HIGH | Time to Fix: 5–15 mins

TL;DR

What broke: The PostgreSQL role appuser has a hard CONNECTION LIMIT set (e.g., 10). Every available slot is occupied — new app connections are rejected immediately with a fatal error.
How to fix it: Either raise the role's CONNECTION LIMIT via ALTER ROLE, implement a connection pooler (PgBouncer), or kill idle/zombie connections holding slots hostage.
Fast path: Use our Client-Side Sandbox above to auto-refactor your ALTER ROLE statement, PgBouncer .ini, or application pool config without pasting secrets into a third-party AI.

The Incident (What Does the Error Mean?)

Raw error output:

FATAL:  too many connections for role "appuser"

PostgreSQL enforces per-role connection limits set at role creation or via ALTER ROLE. When the count of active connections authenticated as appuser reaches that ceiling, the server rejects every subsequent connection attempt — hard stop, no queue, no retry. Your application gets a fatal exception on the connection acquisition call. Connection pools on the app side start throwing, health checks fail, and depending on your retry logic, you may spiral into a thundering herd that hammers the already-saturated role.

This is not a max_connections global exhaustion. It is a targeted per-role limit. The rest of the database may be perfectly healthy.

The Attack Vector / Blast Radius

This failure mode is deceptively catastrophic because it is surgical and silent until it isn't.

Cascading failure chain:

A deployment, traffic spike, or connection leak pushes appuser active connections to the limit.
New web/API workers fail to acquire a DB connection. Requests time out or return 500s.
Application-level connection pools (HikariCP, pgx, psycopg2 pool) exhaust their own queue waiting for a slot that never frees.
Health checks that themselves require a DB connection start failing — load balancers pull instances, reducing app capacity, which concentrates remaining traffic on fewer instances, which each open more connections. Classic thundering herd.
If appuser is shared across microservices (a common anti-pattern), all services go down simultaneously — not just the offending one.

Security angle: A CONNECTION LIMIT set too low is sometimes a misconfigured security control intended to throttle a low-privilege read-only role. If someone set CONNECTION LIMIT 10 on a role that now serves production write traffic, you have an accidental self-DoS baked into your schema. Attackers who know your role structure can deliberately saturate the limit with unauthenticated or low-cost connection attempts to trigger this exact outage.

How to Fix It

Step 0 — Triage: See What's Holding Slots Right Now

-- How many connections does appuser currently have?
SELECT count(*), state, wait_event_type, wait_event
FROM pg_stat_activity
WHERE usename = 'appuser'
GROUP BY state, wait_event_type, wait_event
ORDER BY count DESC;

-- What is the current limit?
SELECT rolname, rolconnlimit
FROM pg_roles
WHERE rolname = 'appuser';
-- -1 = unlimited, 0 = no connections allowed, N = hard cap

If you see rows with state = 'idle' or state = 'idle in transaction', those are zombie connections from a misconfigured pool or a crashed app instance that didn't close cleanly.

Kill idle zombies immediately (production emergency):

SELECT pg_terminate_backend(pid)
FROM pg_stat_activity
WHERE usename = 'appuser'
  AND state IN ('idle', 'idle in transaction')
  AND state_change < NOW() - INTERVAL '5 minutes';

Basic Fix — Raise the Role Connection Limit

- ALTER ROLE appuser CONNECTION LIMIT 10;
+ ALTER ROLE appuser CONNECTION LIMIT 100;

⚠️ This is a band-aid. If you have a connection leak, you will hit the new ceiling too. Fix the root cause.

Enterprise Best Practice — Connection Pooler + Least-Privilege Role Config

The correct architecture is: application → PgBouncer (transaction mode) → PostgreSQL. Your app opens hundreds of "connections" to PgBouncer; PgBouncer multiplexes them into a small, controlled pool against Postgres.

PgBouncer pgbouncer.ini — corrected config:

 [databases]
- appdb = host=127.0.0.1 port=5432 dbname=appdb
+ appdb = host=127.0.0.1 port=5432 dbname=appdb pool_size=20 reserve_pool=5

 [pgbouncer]
- pool_mode = session
+ pool_mode = transaction
- max_client_conn = 100
+ max_client_conn = 500
- default_pool_size = 5
+ default_pool_size = 20
+ reserve_pool_size = 5
+ reserve_pool_timeout = 3
+ server_idle_timeout = 600
+ client_idle_timeout = 0

PostgreSQL role — set a sane limit that matches your pooler's server-side pool:

- ALTER ROLE appuser CONNECTION LIMIT 10;
+ ALTER ROLE appuser CONNECTION LIMIT 50;
-- 50 = pooler default_pool_size(20) + reserve(5) + headroom for direct admin access

Application pool config (example: HikariCP / Java):

- maximumPoolSize=50
+ maximumPoolSize=20
- connectionTimeout=30000
+ connectionTimeout=5000
+ idleTimeout=600000
+ maxLifetime=1800000
+ keepaliveTime=300000

Rule of thumb: max_client_conn (PgBouncer) >> maximumPoolSize (app) >> pool_size (PgBouncer→Postgres) >> CONNECTION LIMIT (role). Each layer must be sized larger than the layer below it.

💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.

Prevention in CI/CD

1. Terraform / IaC — Enforce Pooler-Aware Connection Limits

 resource "postgresql_role" "appuser" {
   name     = "appuser"
   login    = true
-  # connection_limit not set — defaults to -1 (unlimited)
+  connection_limit = 50
 }

Add a Terraform precondition or Sentinel policy to block roles with connection_limit = -1 on non-superuser accounts.

2. Checkov Policy (Terraform scanning)

Checkov does not have a built-in rule for postgresql_role connection limits. Add a custom check:

# checkov/custom_checks/pg_role_connection_limit.py
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories

class PgRoleConnectionLimit(BaseResourceCheck):
    def __init__(self):
        super().__init__(
            name="Ensure PostgreSQL role has explicit connection_limit",
            id="CKV_CUSTOM_PG_001",
            categories=[CheckCategories.GENERAL_SECURITY],
            supported_resources=["postgresql_role"]
        )

    def scan_resource_conf(self, conf):
        limit = conf.get("connection_limit", [-1])
        val = limit[0] if isinstance(limit, list) else limit
        # -1 = unlimited; reject roles with no explicit cap
        if val == -1 or val is None:
            return CheckResult.FAILED
        return CheckResult.PASSED

3. Alerting — Catch This Before It Pages You

-- Prometheus postgres_exporter custom query
-- Alert when appuser connections exceed 80% of its limit
SELECT
  count(*)::float / NULLIF(rolconnlimit, 0) AS connection_saturation_ratio
FROM pg_stat_activity
JOIN pg_roles ON pg_roles.rolname = pg_stat_activity.usename
WHERE pg_stat_activity.usename = 'appuser'
GROUP BY rolconnlimit;

Set a Prometheus/Grafana alert at > 0.80 (80% saturation). You want 10+ minutes of lead time before the wall hits.

4. OPA / Conftest for SQL Migration Files

# policy/pg_role_limit.rego
package postgresql

deny[msg] {
  input.statement.type == "AlterRoleStmt"
  option := input.statement.options[_]
  option.defname == "connectionlimit"
  option.arg.ival == -1
  msg := "ALTER ROLE must not set CONNECTION LIMIT to -1 (unlimited) for non-superuser roles"
}

Run conftest test migration.sql --policy policy/ in your CI pipeline to block unlimited-connection role definitions before they reach production.