Last updated 29 March 2018
Table of Contents
This article describes how to configure your Heroku app to use an Amazon RDS database.
Amazon RDS must be purchased and provisioned separately.
Authorizing access to RDS instance
You must grant Heroku dynos access to your RDS instance. The recommended way to do this is to configure the RDS instance to only accept SSL-encrypted connections from authorized users and configure the security group for your instance to permit ingress from all IPs, eg
Previously, Heroku published its AWS account ID and security group name as a way to grant access to an Amazon RDS instance. This is no longer recommended.
Configuring a Heroku Ruby app to use a MySQL RDS instance
Follow these steps to access a MySQL RDS instance from a Heroku Ruby app (adapted from Stackoverflow response):
First, download the Amazon RDS CA certificate:
$ curl https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem > ./config/amazon-rds-ca-cert.pem
You may also have to download and combine intermediate AWS certificates.
Add the certificate file to your app’s git repository and redeploy to Heroku.
DATABASE_URL config var to include the
sslca parameter pointing to the certificate file in your repository:
heroku config:set DATABASE_URL="mysql2://username:password@hostname/dbname?sslca=config/amazon-rds-ca-cert.pem" -a <app_id>
The relative path to the certificate file is important.
Configure MySQL to require SSL for all connections for the user:
GRANT USAGE ON *.* TO 'username'@'%' REQUIRE SSL;
That’s it! Your Ruby app should now be able to access the RDS MySQL database over SSL.
Please refer to the relevant AWS and MySQL documentation for additional details on how to use SSL connections with your RDS database and how to authorize access for a DB security group:
- AWS: Using SSL with a MySQL DB Instance
- AWS: Require DB instance only accept encrypted connections
- AWS: Using SSL with a SQL Server DB Instance
- MySQL: Using Encrypted Connections
- AWS: Authorizing Network Access to a DB Security Group from an IP Range
The ClearDB Dev Center article has additional details on how to use SSL certificates when connecting to a MySQL Database