How to Modify pg_hba.conf for Certificate Authentication in AWS RDS PostgreSQL


2 views

AWS RDS manages PostgreSQL configuration differently than self-managed instances. While you can view the pg_hba.conf path in parameter groups, direct editing isn't available through the AWS console or API. This is a security measure by AWS to maintain managed service stability.

For certificate authentication, you'll need to modify the rds.pg_hba.conf parameter in your DB parameter group. Here's how to structure the entries:


# Example entry for cert auth
hostssl all             all             0.0.0.0/0               cert
hostssl all             all             ::/0                    cert

1. Create a custom parameter group if you're using the default one
2. Navigate to RDS > Parameter groups > Select your group
3. Search for rds.pg_hba.conf
4. Add your certificate authentication rules
5. Associate the parameter group with your DB instance
6. Reboot the instance for changes to take effect

After applying changes, connect to your RDS instance and run:


SELECT * FROM pg_hba_file_rules();

This will show the active authentication rules including your certificate-based entries.

When connecting with psql, use:


psql "host=your-rds-endpoint.rds.amazonaws.com \
      dbname=yourdb \
      user=youruser \
      sslmode=verify-full \
      sslcert=client.crt \
      sslkey=client.key \
      sslrootcert=root.crt"

If authentication fails:
- Verify certificate permissions (chmod 600 for key files)
- Check the certificate CN matches the PostgreSQL username
- Ensure your parameter group is properly associated
- Confirm the instance reboot completed

AWS RDS PostgreSQL instances don't provide direct filesystem access to configuration files like pg_hba.conf. This is a security measure by AWS to maintain managed service integrity. When you check the RDS Parameter Groups, you'll notice parameters like rds.pg_hba_conf that reference the file path but don't allow direct editing.

For certificate authentication, you'll need to modify the parameter group settings. Here's how:

# First, create a new DB Parameter Group if you haven't already
aws rds create-db-parameter-group \
    --db-parameter-group-name my-pg-hba-group \
    --db-parameter-group-family postgres12 \
    --description "Custom parameter group for pg_hba settings"

Modify the rds.pg_hba_conf parameter with your certificate authentication rules:

hostssl all all 0.0.0.0/0 cert clientcert=1
hostssl all all ::/0 cert clientcert=1

Apply these changes using AWS CLI:

aws rds modify-db-parameter-group \
    --db-parameter-group-name my-pg-hba-group \
    --parameters "ParameterName=rds.pg_hba_conf,ParameterValue='hostssl all all 0.0.0.0/0 cert clientcert=1',ApplyMethod=immediate"

Before this will work, you need to:

  1. Upload your CA certificate to AWS Certificate Manager (ACM)
  2. Configure RDS to use this certificate
  3. Ensure your client presents the correct certificate

Connect to your RDS instance and check the effective configuration:

SELECT * FROM pg_hba_file_rules;

For troubleshooting authentication issues:

SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid();
  • Changes to parameter groups may require a DB instance restart
  • Always test changes in a non-production environment first
  • Keep your certificates securely managed and rotated
  • Monitor your RDS instance logs for authentication errors

For production environments, consider using CloudFormation or Terraform to manage these settings:

# Terraform example
resource "aws_db_parameter_group" "postgresql" {
  name   = "postgres-pg-hba"
  family = "postgres12"

  parameter {
    name  = "rds.pg_hba_conf"
    value = "hostssl all all 0.0.0.0/0 cert clientcert=1\nhostssl all all ::/0 cert clientcert=1"
  }
}