Resolving RDS Postgres "no pg_hba.conf entry" Connection Error
Problem Statement
When connecting to PostgreSQL on Amazon RDS, you may encounter this error:
no pg_hba.conf entry for host '16.151.149.51', user 'analytics', database 'database', no encryptionThis occurs despite:
- Correct IP address added to security groups
- Encryption settings properly configured
- Working network connectivity
The core issue is typically an SSL/TLS configuration mismatch between your client application and the RDS instance. PostgreSQL uses pg_hba.conf to control access, and in RDS environments this file is managed automatically with SSL requirements enforced by default.
Recommended Solutions
1. Enable SSL in Your Connection (sslmode=require)
This is the simplest fix for most cases:
psql "postgres://user:password@rds-hostname/dbname?sslmode=require"For programming languages:
// Add to connection configuration
ssl: {
rejectUnauthorized: true,
ca: fs.readFileSync('./us-east-1-bundle.pem').toString()
}import psycopg2
conn = psycopg2.connect(
host="rds-hostname",
user="user",
password="password",
dbname="dbname",
sslmode="require"
)WARNING
Without SSL enabled, RDS rejects connections even with valid credentials. The error message is misleading.
2. Download and Use RDS SSL Certificate Bundle (Secure Method)
For full certificate validation (sslmode=verify-full):
- Download the AWS RDS CA bundle for your region
- Configure your connection:
const fs = require('fs');
const dbConfig = {
host: 'your-rds-endpoint',
user: 'username',
password: 'password',
database: 'dbname',
port: 5432,
ssl: {
rejectUnauthorized: true,
ca: fs.readFileSync('path/to/global-bundle.pem').toString()
}
};TIP
Find your certificate authority name in RDS console > Your DB instance > Connectivity & security > Certificate authority
3. Verify Secrets Manager Rotation Issues
If using AWS Secrets Manager with automatic password rotation:
- Rotated passwords take several minutes to propagate
- Symptoms: Error occurs with correct newly-rotated password
- Solutions:
- Wait 10-15 minutes after rotation
- Restart RDS instance
- Confirm expected error changes to
password authentication failedwhen RDS syncs
4. Check Credentials and Username
Verify you're using:
- Correct master username (check RDS console)
- Current password (especially if manually rotated)
- Proper database name
When credentials are invalid during SSL problems, RDS returns the misleading pg_hba.conf error.
5. EC2 Instance Connection Setup
For EC2-to-RDS connections:
- In RDS Console, go to your DB instance
- Choose Actions > Set up EC2 connection
This automates network configuration between EC2 and RDS.
Solutions to Avoid
Disabling SSL Enforcement (Not Recommended)
While this "fixes" the connection, it disables encryption:
Steps:
1. Create new parameter group
2. Set `rds.force_ssl = 0`
3. Reboot RDS instanceSecurity Risk
Never disable SSL/TLS in production environments. Data transmitted is unencrypted and vulnerable.
Environment-Specific Fixes
AWS Glue
For Glue 2.0 connections:
--extra-jars s3://path/to/postgresql-42.6.2.jar
--user-jars-first trueCDK (Cloud Development Kit)
new DatabaseInstance(this, 'database', {
engine: DatabaseInstanceEngine.postgres({version: PostgresEngineVersion.VER_15}),
parameterGroup: new ParameterGroup(this, 'params', {
engine: DatabaseInstanceEngine.postgres({version: PostgresEngineVersion.VER_15}),
parameters: { 'rds.force_ssl': '0' } // ❌ Avoid in production
}),
// ...other options
});Summary of Best Practices
- Always use SSL with
sslmode=requireorverify-full - Download CA bundles directly from AWS documentation
- Test connections immediately after Secrets Manager rotations
- Never disable
rds.force_sslin production environments - Verify username/password in RDS console if errors persist
For most connection issues, adding ?sslmode=require to your connection string resolves the problem while maintaining security.