fix: drop the rds_iam grant from 005 (it forces IAM-only auth on RDS)

Live prod verification caught this: granting rds_iam to a role makes
IAM authentication MANDATORY on RDS (password auth fails with PAM
authentication failed), and the Vercel runtime has no AWS credentials to
mint IAM tokens. bench_read authenticates with a static password, so 005
now creates the role with no rds_iam grant (a future IAM switch re-adds
it in a follow-up migration, atomically disabling the password). Prod
state matches: the grant was revoked as master immediately after the
2026-06-10 bootstrap apply of 004+005, and SELECT-as-bench_read +
INSERT-denied were verified live. 51 runner tests + 204 web tests green.

Signed-off-by: "Connor Tsui" <connor@spiraldb.com>

Author: connortsui20

migrations/005_read_role.sql

@@ -16,25 +16,23 @@
 -- infrastructure (Vercel), so it gets an identity that cannot write even if
 -- its credential leaks.
 --
--- Authentication: the role supports both auth paths `web/lib/db.ts`
--- implements. For the static-password path the password is set OUT-OF-BAND by
--- the operator (`ALTER ROLE bench_read PASSWORD '...'` as master; never in a
--- committed migration). For a future IAM path the `rds_iam` grant below
--- already applies on real RDS; the off-AWS guard mirrors 002/004.
+-- Authentication: STATIC PASSWORD, set OUT-OF-BAND by the operator
+-- (`ALTER ROLE bench_read PASSWORD '...'` as master; never in a committed
+-- migration). Deliberately NO `rds_iam` grant, unlike 002/004: on RDS,
+-- membership in `rds_iam` makes IAM authentication MANDATORY (password auth
+-- fails with "PAM authentication failed"), and the Vercel runtime has no AWS
+-- credentials to mint IAM tokens with. If the read path later moves to IAM
+-- (for example via Vercel-to-AWS OIDC federation), a follow-up migration
+-- grants `rds_iam` at switch time, which atomically disables the password.
 --
 -- Idempotent and substrate-portable, matching 002/004: `CREATE ROLE` is
--- guarded (roles are cluster-global), the `rds_iam` grant is guarded behind an
--- existence check so this also applies on vanilla Postgres (local dev + the
--- testcontainer suites), and re-granting an existing privilege is a Postgres
--- no-op.
+-- guarded (roles are cluster-global), and re-granting an existing privilege
+-- is a Postgres no-op.
 DO $$
 BEGIN
     IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'bench_read') THEN
         CREATE ROLE bench_read WITH LOGIN;
     END IF;
-    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'rds_iam') THEN
-        GRANT rds_iam TO bench_read;
-    END IF;
 END$$;
 
 -- `bench_read` must reach objects in `public` but must NOT create any:

scripts/test_migrate_schema.py

@@ -1204,10 +1204,9 @@ def test_bench_ingest_has_dml_only_on_data_tables(conn: psycopg.Connection) -> N
 
 
 def test_real_migrations_create_bench_read_role(conn: psycopg.Connection) -> None:
-    """`005_read_role.sql` creates a login-capable `bench_read` role. The
-    `rds_iam` grant is skipped on vanilla Postgres (the role does not exist
-    there); on real RDS it binds `bench_read` to IAM-token auth for a future
-    IAM read path."""
+    """`005_read_role.sql` creates a login-capable `bench_read` role with NO
+    `rds_iam` grant: on RDS that membership makes IAM auth mandatory (password
+    auth fails), and the read service authenticates with a static password."""
     runner.apply(conn, REPO_MIGRATIONS_DIR)
 
     with conn.cursor() as cur: