- Newest
- Most votes
- Most comments
Hello.
With PostgreSQL's SSL connection, the communication is only encrypted with SSL, and password authentication cannot be omitted.
https://repost.aws/knowledge-center/aurora-postgresql-ssl-certificates
Thank you for the quick responses. But we can establish the client authentication as well enabled for non-RDS Postgres using the "verify-full" setting while supporting other different ways of authentication using the certificates. Is there a way to configure the RDS PostgreSQL cluster so that the client validation can be enabled?
Thank you,
If you use Kerberos authentication, you won't need to enter a password. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos.html
I think you misunderstand the purpose of SSL/TLS and the certificate in this scenario. It allows the PostgreSQL client (on the EC2 instance) to validate that the server it connects to is really what it claims to be. And after that, it's used to securely encrypt communications between the client and the server.
Nowhere is it used by the server to authenticate the client, that still needs a password (or equivalent like a ~/.pgpass
file or $PGPASSWORD
environment variable).
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Testing is required to see if Aurora PostgreSQL supports this, but it may be possible to omit password entry by creating ".pgpass" in the user's home directory. https://www.postgresql.org/docs/current/libpq-pgpass.html