Amazon RDS

Last updated February 08, 2023

This article describes how to configure your Heroku app to use an Amazon RDS database.

Amazon RDS must be purchased and provisioned separately.

Authorizing Access to RDS instance

You must grant Heroku dynos access to your RDS instance. The recommended way to grant access is to configure the RDS instance to only accept SSL-encrypted connections from authorized users and configure the security group for your instance to permit ingress from the appropriate IP addresses.

Previously, Heroku published its AWS account ID and security group name as a way to grant access to an Amazon RDS instance. This is no longer recommended.

Configuring a Heroku Ruby App to Use a MySQL RDS Instance

Follow these steps to access a MySQL RDS instance from a Heroku Ruby app (adapted from Stackoverflow response):

First, download the Amazon RDS CA certificate:

$ curl https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem > ./config/amazon-rds-ca-cert.pem

You may also have to download and combine intermediate AWS certificates.

Add the certificate file to your app’s git repository and redeploy to Heroku.

Update the DATABASE_URL config var to include the sslca parameter pointing to the certificate file in your repository:

heroku config:set DATABASE_URL="mysql2://username:password@hostname/dbname?sslca=config/amazon-rds-ca-cert.pem" -a <app_id>

The relative path to the certificate file is important.

Require SSL

Configure MySQL to require SSL for all connections for the user:

GRANT USAGE ON *.* TO 'username'@'%' REQUIRE SSL;

That’s it! Your Ruby app is now able to access the RDS MySQL database over SSL.

Additional Resources

Refer to the relevant AWS and MySQL documentation for additional details on how to use SSL connections with your RDS database and how to authorize access for a DB security group:

The ClearDB Dev Center article has additional details on how to use SSL certificates when connecting to a MySQL Database

Feedback

Log in to submit feedback.