Amazon RDS for PostgreSQL

Amazon RDS for PostgreSQL is a fully managed relational database service provided by Amazon Web Services, offering a scalable and efficient solution for deploying, managing, and scaling PostgreSQL databases in the cloud.

Below you can find the Aembit configuration required to work with AWS RDS for PostgreSQL as a Server Workload using PostgreSQL-compatible CLI, application, or a library.

Prerequisites

Before proceeding with the configuration, ensure you have an AWS tenant (or sign up for one) and an Amazon RDS for PostgreSQL database. If you have not created a database before, you can follow the steps in the next section. For more information on creating an Amazon RDS DB instance, please refer to the official Amazon documentation.

Create Amazon RDS PostgreSQL Database

Sign in to the AWS Management Console and navigate to the Amazon RDS console.
In the left navigation pane, select Databases, and then click Create Database in the top right corner.

AWS RDS Create Database

Configure the database according to your preferences. Below are key choices:

Under Engine options, choose PostgreSQL for the engine type.
Under Engine options, select a version 16 or from the 15 series.
Under Settings, enter a name for the DB cluster identifier; this will be used in the endpoint.
In Settings, expand the Credentials Settings section. Use the Master username and master password as Credential Provider details. You can either auto-generate a password or type your own. Save this information for future use.

In Connectivity, find the Publicly Accessible option and set it to Yes.

:warning: Setting the Publicly Accessible option to Yes is done here purely for demonstration purposes. In normal circumstances, it is recommended to keep the RDS instance not publicly accessible for enhanced security.

In Connectivity, ensure the VPC security group (firewall) configuration is in place to allow client workload/agent proxy communication.
In Connectivity, expand the Additional Configuration section and verify the Database Port is set to 5432.
In Database authentication, select Password authentication.
In Additional configuration, specify an Initial database name.

After making all of your selections, click Create Database.

Server Workload Configuration

To retrieve the connection information for a DB instance in the AWS Management Console:

Sign in to the AWS Management Console and navigate to the Amazon RDS console.
In the left navigation pane, select Databases to view a list of your DB instances.
Click on the name of the DB instance to view its details.
Navigate to the Connectivity & security tab and copy the endpoint.

AWS RDS Database Endpoint

Create a new Server Workload.

Name - Choose a user-friendly name.

Configure the service endpoint:

Host - <db-instance-name>.<account-id>.<region>.rds.amazonaws.com (Provide the endpoint copied from AWS)
Application Protocol - Postgres
Port - 5432
Forward to Port - 5432 with TLS
Forward TLS Verification - Full
Authentication method - Password Authentication
Authentication scheme - Password

Credential Provider Configuration

Create a new Credential Provider.

Name - Choose a user-friendly name.
Credential Type - Username & Password
Username - Provide login ID for the master user of your DB cluster.
Password - Provide the Master password of your DB cluster.

Client Workload Configuration

Aembit now handles the credentials required to access the Server Workload, eliminating the need for you to manage them directly. You can safely remove any previously used credentials from the Client Workload.

If you access the Server Workload through an SDK or library, it is possible that the SDK/library may still require credentials to be present for initialization purposes. In this scenario, you can provide placeholder credentials. Aembit will overwrite these placeholder credentials with the appropriate ones during the access process.

Access Policy

Create an access policy for a Client Workload to access the Amazon RDS for PostgreSQL Server Workload and assign the newly created Credential Provider to it.